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QUESTION 


•  Can  I  trust  Microsoft  with  VoIP? 

•  What  really  happens  when  I  dial  911? 

•  Is  VoIP  safe?  Page  16. 


Nortel  taking  802.1  In  into  its  own  hands 

Plan  seen  as  blow  to  OEM  partnerTrapeze  Networks. 

Page  14. 


NETWORKWORLD 


The  leader  in  network  knowledge  ■  www.networkworld.com 


July  2/9,  2007  ■  Volume  24,  Number  26 


review 

The  decision  by 
Massachusetts  to 
consider  adopting  a 
second  open  docu¬ 
ment  format  could 
revive  similar  legisla¬ 
tion  in  other  states. 
Page  10. 


Q&A  with  the  X-man 

Kris  Lamb, 
of  IBM’s 
X- Force 
security 
group,  on 
increasingly  shrewd 
cyber  criminals  and 
the  threat  against 
Web  2.0.  Page  12. 
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Exclusive  Test: 
Network  General's 
NetVigil  tool 

We  put  this  virtual 
server  management 
product  through  its 
paces. 

Page  33. 

Fearing  Big 
Entertainment 

BackSpin  columnist 
Mark  Gibbs  on  this 
new  threat.  Page  38. 


CIOs,  GSOs 
struggle 
as  roles 
conflict 

BY  JON  BRODKIN 

The  third  in  a  series  of  stories 
on  key  security  issues  being 
that  will  be  discussed  at  this 
upcoming  event. 

THESECURITYSTANDARD: 

The  Fairmont  Hotel,  September  10  - 11.  2007.  Chicago,  IL 

Any  chief  security  officer  can 
tell  you  there’s  a  fine  line  be¬ 
tween  managing  risk  and  foster¬ 
ing  innovation.  And  the  CSO’s 
relationship  with  the  company’s 
CIO  largely  determines  where 
that  line  is  drawn. 

“The  chief  security  officer,  by 
definition  of  their  job,  would  like 
things  to  be  more  stringent  than 
a  CIO  would  practically  allow/’ 
says  Marc  Hoit,  interim  CIO  and 
professor  of  civil  and  coastal 
engineering  at  the  University  of 
Florida. 

Some  argue  a  CSO  should  not 
report  directly  to  a  CIO,  as  hap¬ 
pens  at  the  University  of  Florida 
and  many  other  organizations. 
Just  as  you  wouldn’t  want  a 
financial  controller  reporting  to 
an  auditor, a  company’s  chain  of 
command  should  give  the  CSO 
somewhere  to  turn  when  the 
CIO  takes  on  too  much  risk, 
argues  Andreas  Antonopoulos, 
See  Security,  page  26 
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Let's  leave  the  hardware  where  it  is. 

Introducing  the  software-based 
VoIP  solution  from  Microsoft.  It's  a 
whole  new  way  to  look  at  telephony. 

As  it  turns  out,  that  important 
move  to  VoIP  isn't  about  ripping  and 
replacing  or  big,  upfront  costs.  That's 
because  it's  no  longer  about  hardware. 

It's  actually  about  software. 

That's  right.  Keep  your  hardware — 
your  PBX,  your  gateways,  even  your 
phones.  Add  software.  Software  that 
integrates  with  Active  Directory,® 
Microsoft®  Office,  Microsoft  Exchange 
Server,  and  your  PBX.  Simply  maximize 
your  current  PBX  investment  and  make 
it  part  of  your  new  software-based 
VoIP  solution. 

Because  what  you  have  is  good. 
What  you  have  with  the  right 
software  is  even  better.  Learn  more 
at  microsoft.com/voip 

Your  potential.  Our  passion  * 

Microsoft 


THE  RIGHT  SUPPORT  CAN  MAKE  ALL  THE  DIFFERENCE. 


What’s  driving  your  success?  For  many  leading  organizations,  it’s  having  a  single  resource  for 
planning,  deploying  and  managing  their  IT  solutions.  Insight’s  breadth  of  experience  can  help  you 
address  your  complete  technology  needs.  Gain  a  trusted  advisor.  Gain  Insight. 


CA  XOsoft  WANSyncHA 

CAXWBR400SW00C4 


ca 


•  Continuous  Data  Protection 
•Automatic  Failover/Failback 

•  Multi-platform  support 


Intel  PRO/1 000  PT  Quad  Port  Server  Adapter 

EXPI9404PT 


intel 


•  Ethernet,  Fast  Ethernet,  Gigabit  Ethernet 

•  Data  Transfer  Rate:  1  gigabit/sec 

•  PCI  Express  x4 

•  Limited  lifetime  warranty 


Sun  Fire  X4100  M2  x64  Server 

A86-FWZ 1AN2GAL9 


More  energy-efficient  than 
Xeon  servers 


•  Runs  virtually  any  OS 


•  Simplified  remote  management 


insight.com  T  800.927.3209 


Insight 

Technology 

Solutions 
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CLEAR  CHOICE  TEST: 

Exclusive  test  of 
Network  General's 
NetVigil  tool,  which  allows  network  man¬ 
agers  to  peer  inside  virtual  servers. 

Page  33. 


ATTACK^  KILLERMS 


iHT  BACK  AGAINST 
INVASION.  PAGE  28 


LETTERS 


The  high  cost  of  blades 

After  reading  your  article  on  blade  vs.  rack 
mount  performance  and  cost  (www.nwdoc 
finder.com/9433),  I  felt  that  I  really  needed  to 
make  a  statement. 

I  work  for  a  nonprofit,  and  the  bottom  line  is 
that  blade  technology  will  never  be  adopted 
by  the  small  to  midsize  companies  until  they 
come  down  to  41)  prices. 

We  build  our  own  servers  (four  processors 
with  4GB  of  RAM,  1333GHz  FSB  and  storage- 
requirement-based  hard  drive)  at  a  cost  each 
of  about  $2,200.  If  you  multiple  that  by  14 
servers,  then  we  have  a  total  cost  of  $30,800 
(not  the  $1 16,700  for  the  IBM  x3550). 

Adding  all  the  costs  for  10G  Ethernet  and  1G 
Switch  technology,  the  4U  solution  is  still  the 
most  cost-effective  way  to  build  the  perfor¬ 
mance  to  run  the  business  without  breaking 
the  bank. 

David  Oliver 
I.  T.  director 
Arizona’s  Children  Association 


Wi-Fi  security  question 

Regarding ‘Astounded  by  things  legal”  (www 
.nwdocfinder.com/9434)  —  you  ask  if  it  is  rea¬ 
sonable  to  assume  that  unencrypted  access 
points  not  displaying  any  logon  challenge  or 
acceptable-use  policy  are  available  for  free 
used  agree  that  the  Wi-Fi  owner  should  be  held 
accountable. 

My  question  is  this:  Are  there  access  points 
available  that  would  allow  one  to  force  an 
acceptable-use  policy  to  display  or  require  a 
logon?  As  far  as  I  know,  the  ones  at  stores  such 
as  Best  Buy  and  CompUSA  don’t  have  that 
feature. 

Kevin  Weilbacher 
Tampa,  Fla. 

Mark  Gibbs  replies:  As  far  as  I  know  there  are 
no  consumer  Wi-Fi  access  points  that  have 
built-in  network-logon  features  or  acceptable- 
use  policy  displays.  There  are  many  add-on 
packages  and  most  of  them  are  free  (such  as 
NoCat),  and  therein  lies  the  problem:  They  are 
way  outside  of  the  average  consumer’s  ability 
to  implement. 


Unsecured  Wi-Fi  networks 

The  issues  you  pointed  out  for  home  unse¬ 
cured  Wi-Fi  networks  (www.nwdocfinder.com 
/9435)  are  just  another  symptom  of  a  much 
larger  issue  that  I  have  had  to  deal  with  profes¬ 
sionally  for  a  number  of  years  .Computers  are 
complex.  Networks  are  more  so.Wi-Fi  is  not  for 
amateurs. 

Look  at  it  this  way:  I’m  pretty  sure  all  50  states 


■  CONTACT  Network  World,  118Turnpike  Road, 
Southborough,  MA  01772;  Phone:  (508)  460-3333;  E- 
mail:  nwnews@nww.com;  ■  REPRINTS:  (717)  399-1900; 

■  SUBSCRIPTIONS:  Phone  (508)  490-6444;  E-mail: 
nwcirc@nww.com;  URL:  www.subscribenw.com 


require  some  form  of  driver  education  and 
testing  before  you  can  legally  drive  a  vehicle, 
and  if  you  don’t  have  a  license  and  get  into 
trouble,  even  if  it’s  not  your  fault, you  are  auto¬ 
matically  liable.  Pilots  need  to  be  licensed. 
Professional  engineers,  doctors  and  even  my 
barber  has  to  be  certified.  But  when  it  comes 
to  computers,  which  gets  into  the  realm  of 
security  the  marketing  gurus  over  the  years 
have  taught  everyone  that  “you  too  can  have  a 
wireless  network  and  not  have  to  know  any¬ 
thing  about  it!” 

1  hope  the  legal  eagles  eventually  realize  that 
if  your  home  network  is  unsecured,  this  counts 
the  same  as  not  locking  your  front  door.  You 
then  become  liable  for  whatever  happens 
because  you  did  not  use  due  diligence  to  pro¬ 
tect  your  property  If  you  do  not  lock  your  car 
and  it  is  stolen, you  can  kiss  your  insurance  set¬ 
tlement  goodbye  —  and  properly  so. 

If  you  have  a  wireless  network,  then  it  is  up  to 
you  to  protect  it,  as  you  would  protect  all  your 
other  possessions.  I  sit  in  my  office,  with  a  high¬ 
ly  secured  wireless  point,  and  I  cannot  believe 
how  many  unsecured  networks  I  can  find  (our 
building  sits  across  the  street  from  residential 
property).  Only  my  own  conscience  keeps  me 
from  raising  havoc  on  those  networks  to  try  and 
get  people’s  attention.  But  then,  they’d  probably 
have  no  clue  what  was  happening  anyway  We 
have  a  country  heavily  dependent  on  comput¬ 
ers,  and  just  as  totally  computer  illiterate. 

As  an  amateur  woodworker,  I’m  fond  of  say¬ 
ing  that  if  computers  were  like  table  saws,  we’d 
have  a  country  full  of  people  named  Lefty  I 
have  all  10  fingers,  by  the  way  —  and  I  dare 
you  to  crack  my  home  wireless  network. 

Steve  Margison 
Downers  Grove,  III. 


E-mail  letters  to  jdix@nww.com  or  send  them  to 
John  Dix,  editor  in  chief,  Network  World,  118 
Turnpike  Road,  Southborough,  MA  01 772.  Please 
include  phone  number  and  address  for  verification. 


READERS  RESPOND  Find  out  what 
readers  are  saving  about  these  and  other 
topics,  www.nwdocfinder.com/1030 
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Microsoft  to  release  six  patches 

Microsoft  will  release  six  groups  of  security  patches  this  week,  including 
three  critical  updates.The  critical  updates  will  fix  bugs  in  many  versions  of 
Microsoft’s  products,  including  the  latest  versions  of  Excel,  Windows  XE 
Vista  and  Windows  Server  2003,  Microsoft  said  last  week  in  a  note  on  its  Web  site. 
Online  criminals  have  used  flaws  in  Excel  and  other  Microsoft  Office  products  in 
limited  attacks  over  the  past  year.  Typically  the  attacker  will  e-mail  the  victim  a 
maliciously  encoded  Office  attachment.  If  the  document  is  opened,  the  hacker 
can  then  gain  access  to  the  victim’s  computer.  Microsoft  isn’t  releasing  further 
details  on  the  flaws  it’s  fixing  until  Tuesday  but  it  rates  an  update  critical  if  it  fixes 
a  vulnerability  that  could  be  used  by  a  hacker  to  remotely  install  unauthorized 
software  on  a  victim’s  computer.www.nwdocfinder.com/9461 


SAP  admits  to  ‘inappropriate  downloads'  in 
Oracle  case.  Responding  to  a  lawsuit  filed 
by  Oracle  earlier  this  year,  SAP  admitted 
last  week  that  its  TomorrowNow  division  in 
the  United  States  made  “inappropriate 
downloads’’  from  an  Oracle  Web  site  but 
said  SAP  never  had  access  to  the  material. 
In  an  about-  face  from  his  previous  posi¬ 
tion,  SAP  CEO  Henning  Kagermann  (shown 
here)  also  said  that  his  company  is  open  to 
a  possible  settlement 
with  Oracle,  which  has 
charged  SAP  with  “corpo¬ 
rate  theft  on  a  grand 
scale.’TomorrowNow  was 
authorized  to  download 
materials  from  Oracle’s 
Web  site  on  behalf  of 
customers,  SAP  said,  but 
acknowledged  that  there  were  some  inap¬ 
propriate  downloads  of  software  patches 
and  support  documents. “Even  a  single 
inappropriate  download  is  unacceptable 
from  my  perspective,”  Kagermann  said  in  a 
statement.  Kagermann  did  not  rule  out  the 
possibility  of  firing  TomorrowNow  employ¬ 
ees  for  the  downloads,  but  he  said  there 
are  currently  no  plans  to  do  so. 
www.nwdocfinder.com/9462 

About  half  in  United  States  have  home  broad¬ 
band.  Nearly  half  of  all  Americans  have  broad¬ 
band  Internet  connections  in  their  homes, 


largely  because  of  increasing  use  among 
minorities  and  the  poor,  according  to  an 
annual  survey  by  the  Pew  Internet  & 
American  Life  Project.The  number  of  home 
broadband  users  nationwide  now  equals 
the  total  number  of  Americans  with  any 
type  of  Internet  connection  in  2000,  the  first 
year  the  survey  was  conducted.  Four  out  of 
10  African-American  adults  have  broad¬ 
band  access  at  home,  compared  to  15%  two 
years  ago.  Nearly  one-third  of  rural 
Americans  have  home  broadband  connec¬ 
tions,  compared  with  about  one-half  of 
Americans  living  in  urban  areas  and  the 
suburbs. “Income  and  race  are  becoming 
less  important  differentiators  in  U.S.  broad¬ 
band  adoption,”  states  the  Pew  Internet 
Project,  a  nonprofit  center  that  examines 
the  social  impact  of  the  Internet. 
www.nwdocfinder.com/9463 

Cisco  co-founder  launching  start-up 

Cisco  co-founder  Len  Bosack  is  launching  a 
company  that  claims  it  will  bring  “fundamen¬ 
tal  change  to  worldwide  telecommunica¬ 
tions”  with  an  optical  transport  system  allow¬ 
ing  IT  departments  to  easily  and  quickly 
deploy  in-house  metropolitan  optical  net¬ 
works  that  make  efficient  use  of  space  and 
power.  Bosack,  who  founded  Cisco  in  1984 
with  his  wife  Sandy  Lerner,  is  not  talking  pub¬ 
licly  about  his  new  venture,  XKL. 
www.nwdocfinder.com/9463 


0F  bugs  and 

UpUlllglll  BUG  ZAPPERS 

Company  launches  eBay  for  bugs. 

Psst.  Want  to  buy  a  zero-day?  A  Swiss 
start-up  called  WabiSabiLabi  has  some 
for  sale,  but  to  qualified  buyers  only. 

The  company  last  week  launched  a 
security-vulnerability  marketplace, 
where  details  on  unpatched  software 
flaws  can  be  bought  and  sold.  By 
Thursday,  the  site  was  offering  details 
on  four  bugs  in  products,  such  as  the 
Linux  kernel  and  Yahoo  Messenger.  No 
bids  had  yet  been  registered,  and  ask¬ 
ing  prices  for  the  research  ranged 
between  500  euros  ($681)  and  2,000 
euros.  WabiSabiLabi  argues  that  the 
computer  industry’s  ethical-disclosure 
policies  have  led  to  a  raw  deal  for  secu¬ 
rity  researchers,  who  typically  are  not 
paid  for  disclosing  vulnerabilities. 

Critics  see  it  differently,  with  one  call¬ 
ing  the  setup  an  “eBay  for  vulnerabili¬ 
ties.”  www.nwdocfinder.com/9458 


Talking  Trojan  says 
‘bye  bye’  to  data. 

The  program,  called 
the  BotVoice.A 
Trojan,  was  first 
spotted  by  security 
vendor  Panda  Soft¬ 
ware.  It  is  a  Trojan  horse  program, 
which  the  victim  must  download  first. 
But  once  installed,  it  gets  nasty. The 
Trojan  soon  sets  to  work  trying  to 
delete  everything  from  the  victim’s  hard 
drive,  while  at  the  same  time  endlessly 
repeating  an  audible  message,  appar¬ 
ently  designed  to  taunt  the  victim.  “You 
have  been  infected  I  repeat  you  have 
been  infected  and  your  system  files 
have  been  deleted.  Sorry.  Have  a  nice 
day  and  bye  bye,"  theTrojan  says.  It 
does  this  by  using  a  text-reading  pro¬ 
gram  that  is  part  of  the  Windows  oper¬ 
ating  system,  Panda  said.  Users  of 
Windows  2003,  XP,  2000,  NT,  ME,  98  and 
95  are  all  at  risk. 
www.nwdocfinder.com/9459 

Security  gateway  goes  open 
source.  Untangle  has  made  its  open 
source  security  software  available  free 
for  download  to  network  managers 
supporting  environments  of  all  sizes. 
Late  last  year  Untangle,  previously 
named  Metavize,  offered  open  source 
security  software  code  only  for  cus¬ 
tomers  with  10  or  fewer  employees. 
www.nwdocfinder.com/9460 


New  look,  same  dedication 

You  hold  in  your  hands  Network  World  reformatted  as  a  magazine,  a  change  that 
should  make  it  easier  for  you  to  bring  us  along  wherever  you  go.  While  the  form 
factor  is  smaller,  we  remain  dedicated  to  synthesizing  industry  developments  so  network 
leaders  can  make  informed  technology  business  decisions,  the  mission  that  has  driven 
us  for  21  years. 

Key  changes  involve  an  increased  focus  on  analysis,  better  summary  of  news  stories 
amassing  online,  and  more  sense  of  how  the  online  community  is  reacting  to  new 
developments.  Let  us  know  what  you  think. 

-  John  Dix,  Editor  in  chief  (jdix@nww.com) 
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I  AM  NOT  IN  THE 

SERVER  ROOM 

but  I  am  still  in  control  of  our 
server  infrastructure  from 


□  My  Office 


A  Meeting 


□  Th 


e  Airport 
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My  Home 
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Other 


ESCAPE  THE  SERVER  ROOM. 

With  tools  that  give  you  remote  management 
capabilities,  the  HP  ProLiant  DL360  G5  server, 
powered  by  the  Quad-Core  Intel®  Xeon® 
Processor,  lets  you  manage  your  systems  from 
almost  anywhere.  Now  you  have  the  freedom 
to  spend  less  time  in  the  server  room  and  more 
time  on  the  tasks  that  drive  the  business. 


HP  PROLIANT  DL360  G5 


$3699  (Save  $1426) 

Lease  for  as  low  as  $94/month2 

Check  hp.com  for  the  most  up-to-date  pricing 

Smart  55  (PN:  470064-382) 

■  2  Quad-Core  Intel®  Xeon®  Processors 

■  2GB  FBD  PC2-5300  memory 

■  Supports  small  form  factor,  high-performance  SAS  or 
low-cost  SATA  hard  drive 

■  Smart  Array  P400i  controller 
Get  More: 

■  24x7, 4  hour  response,  3  years,  PN:  UE892E,  $375 
•Add  2GB  of  additional  memory,  PN:  397411-S21,  $509 


HP  STORAGEWORKS  ULTRIUM 
448  TAPE  DRIVE1 


$1749  (PN:  DW028B) 

Lease  for  as  low  as  $44/month2 

■  400GB  compressed  capacity 
in  half-height  form  factor 

■  Ships  with  Data  Protector  Express  Software, 
One  Button  Disaster  Recovery,  and  a  1U 
Rackmount  Kit 


1 .  A  HP  SC1 1  Xe  Host  Bus  Adapter  ($209)  is  a  required  option  needed  to  connect  the  Ultrium  448  solution  to  the  DL360  G5  server.  Prices  shown  are  HP  Direct  prices;  reseller  and  retail  prices  may  vary.  Prices  shown  are 
subject  to  change  and  do  not  include  applicable  state  and  local  taxes  or  shipping  to  recipient's  address.  Offers  cannot  be  combined  with  any  other  offer  or  discount  and  are  good  while  supplies  last.  All  featured  offers 
available  in  U.S.  only.  Savings  based  on  HP  published  list  price  of  configure-to-order  equivalent  ($51 25  -  $1 426  instant  savings=  SmartBuy  price  $3699).  2.  Financing  available  through  Hewlett-Packard  Financial  Services 
Company  (HPFS)  to  qualified  commercial  customers  in  the  US  and  subject  to  credit  approval  and  execution  of  standard  HPFS  documentation.  Prices  shown  are  based  on  a  lease  48  months  iri  term  with  a  fair  market  value 
purchase  option  at  the  end  of  the  term.  Rates  based  on  an  original  transaction  size  between  $3,000  and  $25,000.  Other  rates  apply  for  other  terms  and  transaction  sizes.  Financing  available  on  transactions  greater  than 
$349  through  June  30, 2007.  HPFS  reserves  the  right  to  change  or  cancel  these  programs  at  any  time  without  notice.  Intel,  the  Intel  Logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  U.S.  and  other 
countries.  ©  2007  Hewlett-Packard  Development  Company,  L.P.  The  information  contained  herein  is  subject  to  change  without  notice. 
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Follow  these  links  to  more  resources  online 


VIDEO: 


INTERVIEWS,  THE  COOLEST  TOOLS  AND  MORE 


GPS:  Devices  vs. 
in-phone  services 

Keith  Shaw  debates 
the  merits  of  purpose- 
built  GPS  units  for  the 
car  as  compared  with 
the  GPS  services  pop¬ 
ping  up  on  many  cell 
phones.  Which  one  is 
right  for  you? 

www.nwdocfinder.com/9427 


PANORAMA  PODCAST: 


NWPAN 

ORAMA 


Finding  the  perfect 
digital  camera  for 
summer 

Jason  Meserve  and 
Paul  Eng,  senior  Web 
editor  for  Consumer 
Reports,  discuss  what 
to  look  for  in  a  new 
digital  camera  and 
what  to  avoid. 

www.nwdocfinder.com/9429 


Inside  VoWi-Fi 

interoperability 

testing 

A  behind-the-scenes 
look  at  how  the  ILabs 
team  tested  the  latest 
voice-over- Wi-Fi  tech¬ 
nology  and  what  prob¬ 
lems  they  found. 

www.nwdocfinder.com/9428 
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NAC's  usefulness  in  compliance 

Half  of  businesses  not  meeting  federal  e-discovery  rules 


DCCQQAV  from  our 
r  llHOMT  online  forums 


■  Do  branch  offices  still  need  backup 
broadband  service?  Steve  Taylor  and  Jim 
Metzler  posed  the  question  in  a  recent  Wide 
Area  Networking  newsletter,  and  readers 
react:  “We  run  a  small  business  out  of  our 
house.  We  recently  dropped  ourT-1  with  6 
voice  channels  in  favor  of  a  DSL  connection 
at  1.5Mb/s,  a  wireless  link  at  2Mb/s,  and  VoIP. 
TheT-1  provider  did  not  have  any  outages, 
but  when  deciding  to  go  with  services  that 
do  not  have  a  tariffed  response  we  decided 
redundancy  was  necessary.”  www.nwdoc 
finder.com/9443 

■  Don’t  forget  Data  General.  One  user 
wondered  why  our  recent  story  on  “five 
things  you  didn't  know  about  EMC"  didn't 
mention  the  contributions  of  the  Data 
General  technology  the  company  acquired: 
“The  name  of  Clariion  is  derived  from  the 
DGC  line  once  called  AViiON,  which  itself  is 
NOVA  backwards,  the  first  sixteen-bit  mini¬ 
computer  on  the  market."  www.nwdocfind 
er.com/9444 

■  IPhone  pros  and  cons.  Yes,  the  debate 
continues,  with  Apple  zealots  on  one  side  and 
some  networking  types  on  the  other:  “I  have 
been  answering  questions  about  the  iPhone 
for  months  now  —  practically  every  exec  and 
power  user  in  our  company  has  asked.  The 
conversations  always  go  as  far  as  ‘will  it  sup¬ 
port  our  e-mail?'  Now,  we  do  not  allow 
access  to  IMAP  or  POP  through  our  fire¬ 
walls.  No  reason  to.  The  superior  e-mail 
technology  right  now  is  held  by  BlackBerry  — 
hands  down.  Until  someone  can  do  some¬ 
thing  similar,  I  don’t  see  any  reason  to  move 
away  from  our  Pearls  and  8800s  w/  BES 
combo.  It  is  more  affordable,  we  have  options 
for  carriers  and  the  performance  is  superior.” 
www.nwdocfinder.com/9445 

■  39  cents  per  message?  One  user  likes 
the  idea  of  a  service  that  can  add  auditable 
tracking  to  e-mail  messages,  but  not  at  the 
39  cents  per  message  the  service,  RPost, 
charges:  “Since  remote  access  is  a  primary 
application  for  NAC,  the  small  ranks  of  ven¬ 
dors  already  delivering  systems  that  inte¬ 
grate  SSL  VPN  and  advanced  NAC  will 
likely  expand  rapidly  in  the  next  12  months.” 
www.nwdocfinder.com/9451 


ONLINE:  Cisco  Subnet 

Check  out  Network  World’s  Cisco 
Subnet,  the  independent  voice  for 
Cisco  customers. 

www.nwdocfinder.com/7073 


Network  access  control:  NAC  can  be  use¬ 
ful  for  regulatory  compliance  when  mixed 
with  a  strong  security  strategy  One  NAC  cus¬ 
tomer  says  he  uses  NAC  at  least  in  part  to 
help  meet  some  of  the  obligations  H1PAA 
places  on  his  business.  But  NAC  is  not  a  com¬ 
plete  answer  for  complying  with  any  particu¬ 
lar  set  of  regulations.  NAC  gear  grants  individ¬ 
uals  access  only  to  virtual  LANs  specified  by 
NAC  policy  rules.This  arrangement  lets  busi¬ 
nesses  control  what  resources  users  have 
access  to.  Only  people  who  absolutely  need 
to  access  sensitive  data  to  perform  their  jobs 
get  access  to  it.The  NAC  gear  enforces  this  for 
LAN-attached  machines,  as  well  as  those 
accessing  via  a  VPN  used  by  employees  work¬ 
ing  remotely  www.nwdocfinder.com/9452 

Wide  area  networking:  The  frustrating 
truth  of  being  a  network  manager  is  that 
when  apps  are  slow,  you  are  wrong  until  you 
can  prove  the  network  is  not  to  blame  for  the 
sluggish  performance  of  an  application.  One 
network  manager  shares  her  recent  tale  of 
having  to  prove  to  the  rest  of  IT  that  the  net¬ 
work  was  not  causing  the  slow  application 
performance  before  the  rest  of  the  IS  group 
would  investigate  their  own  areas.The  reader 
said  she  felt  sad  and  defeated  to  think  that 
the  investment  and  effort  that  her  organiza¬ 


tion  has  made  in  deploying  monitoring  tools 
was  being  devalued,  because  not  one  person 
outside  of  the  network  team  believes  in  and 
takes  much  consideration  of  the  data. 

www.nwdocfinder.com/9453 

Storage:  Half  of  businesses  don’t  meet  fed¬ 
eral  e-mail  discovery  and  retention  rules,  a 
recent  study  by  Osterman  Research  says. 
Sixty-three  percent  of  the  400  IT  managers  sur¬ 
veyed  said  they  have  had  to  produce  an 
e-mail  as  the  result  of  a  legal  action,  and  53% 
of  all  respondents  could  not  meet  the  so- 
called  e-discovery  regulations  of  the  Federal 
Rules  of  Civil  Procedure,  www.nwdocfind 
er.com/9454 

ISP  news  report:  AT&T  has  completed  a 
$12.4  million  upgrade  to  the  Internal 
Revenue  Service’s  call  centers  that  is  one  of 
the  first  and  largest  deployments  ever  of 
Ciscos  Customer  Voice  Portal  infrastructure, 
AT&T  says.  AT&T  upgraded  the  hardware, 
software  and  circuits  that  the  IRS  uses  to  sup¬ 
port  26  call  centers  nationwide. The  call  cen¬ 
ters  employ  8,000  IRS  agents,  who  process 
more  than  130  million  calls  annually  Thanks 
to  the  upgrade,  IRS  can  now  route  calls  on  a 
nationwide  basis  rather  than  regionally 
www.nwdocfinder.com/9455 


8  •  JULY  9,  2007  •  www.networkworld.com 


»  Worms,  trojans,  zombies,  phishers  and  spyware  all  nipping  at  your  network?  Then  jump  to 
Juniper.  Juniper  Networks  security  solutions  scale  from  large  distributed  enterprises  to 
small  businesses  —  protecting  the  entire  network  against  internal  and  external  threats. 

It’s  security  that’s  comprehensive,  cost-effective,  never  compromised. 


Junp< 

O  Net, 


Only  Juniper  makes  any  network  more  secure:  www.juniper.net/threatmanagement 


1.888. JUNIPER 


NEWS  ANALYSIS 


Open-doc  integration  eyed  in  Mass. 


BY  JOHN  FONTANA 

The  decision  by  the  Commonwealth  of 
Massachusetts  to  consider  adopting  a  second 
open-document  format  could  lead  to  integra¬ 
tion  issues  but  could  also  help  revive  similar 
legislation  in  other  states. 

Last  week,  Massachusetts  proposed  adopting 
the  Open  XML  standard  along  with  its  use  of 
the  OpenDocument  Format  (ODF).The  state 
presented  its  Enterprise  Technical  Reference 
Model  (ETRM)  4.0  for  public  review  and  listed 
under  the  draft’s  major  revisions  “Ecma-376 
Office  Open  XML  File  Formats.” 

The  draft  is  open  for  public  comment  until 
July  20.The  final  draft,  which  will  become  offi¬ 
cial  state  policy  is  expected  at  the  end  of  July 

Open  XML  was  derived  from  Microsoft’s 
Office  OpenXML  (ooXML), which  is  the  default 
file  format  in  Office  2007.The  specification  was 
approved  as  a  standard  in  December  by  Ecma, 
an  international  membership-based  standards 
organization. 

“[Open  XML]  does  meet  our  criteria  for  an 
open  standard, ’’says  Bethann  Repoli, acting  CIO 
of  the  Massachusetts  Information  Technology 
Division. “There  is  industry  support  for  the  for¬ 
mat  since  it  was  approved  in  December!’ 

The  industry  support,  however,  is  in  the  form 
of  a  translator  tool, and  critics  of  Open  XML  say 
that  will  cause  integration  issues. 

“Those  companies  are  ‘implementing’  not 
through  native  support  but  through  a  so-called 
ooXML-ODF  translator  tool  that  is  still  in  beta  for 
spreadsheets  and  presentation  and  is  nowhere 
near  an  adequate  level  of  development  even 
for  text  documents,”  says  Marino  Marcich,  man¬ 
aging  director  of  the  ODF  Alliance. 

Open  XML  Translator  1.0  was  released  in  Feb¬ 
ruary  as  an  open  source  project  on  the  Source 
Forge  Web  site.  A  second  beta  of  the 
OpenXML/ODF  Translator  for  Excel  and 
PbwerPoint  was  released  in  May. 

In  July  2006,  Chris  Capossela,  corporate  vice 
president  of  Microsoft’s  business  division, 
acknowledged  in  a  document  titled  “A  Foun¬ 
dation  for  the  New  World  of  Documents”  that 
“although  file  translation  may  not  result  in  per¬ 
fect  document  fidelity  because  of  format  and 
product  differences,  it  is  the  most  effective  way 
to  offer  interoperability  in  a  world  where  multi¬ 
ple  file  formats  will  need  to  coexist.” 

In  Massachusetts,  Pepoli  says  the  state  has  not 
seen  integration  issues  to  date  but  that  guide¬ 
lines  will  be  added  if  major  issues  develop. 

The  guidelines  in  ETRM  4.0  say  Open  XML 
can  be  used  for  office  documents,  such  as  text 
(.docx), spreadsheets  (.xlsx)  and  presentations 
(.pptx)  but  is  not  restricted  to  those  file  types. 

Last  month,  the  Danish  Parliament  began  to 
tackle  the  same  integration  issue  when  it  decid¬ 
ed  to  open  a  one-year  test,  beginning  Jan.  1,  of 
adopting  Microsoft’s  ooXML  in  addition  to  ODF 

During  the  test,  the  government  will  study 


document  exchange,  including  the  use  of  con¬ 
verters  to  change  document  formats. 

Analysts  say  second  looks  at  Open  XML  show 
that  users  are  being  pragmatic  given  Microsoft’s 
dominance  in  office  applications. 

“I  think  Massachusetts  is  bowing  to  practical¬ 
ity  here  a  little,”  says  Chris  LeTocq,  principal 
analyst  of  Guernsey  Research.  “Is  OpenXML 
going  to  be  out  there  and  used  by  hundreds  of 
thousands  of  the  people  whom  the  govern¬ 
ment  workers  are  going  to  have  to  exchange 
documents  with?  Yes,  it  is.” 

LeTocq  says  that  could  lead  to  the  reopening 
of  legislation  killed  or  shelved  in  other  states. 
Massachusetts  passed  its  open  document  mea¬ 
sure  by  executive  policy  decision  in  2005  and 
is  the  only  state  with  such  a  mandate. 

“If  you  look  at  Massachusetts  as  a  leader  in 
open-document  adoption,  this  says  they  have 
looked  at  the  practicality  the  effectiveness  [of 
Open  XML] ,  or  maybe  they  had  to  re-evaluate, 
maybe  they  saw  something  they  didn’t  see 
before  that  put  pressure  on  them.  Or  maybe,  at 
the  end  of  the  day  Massachusetts  has  a  deal 
with  Microsoft  from  a  cost  standpoint  that  we 
have  not  heard  about,”  LeTocq  says. 

ODF  proponents  take  aim  at  Microsoft 

ODF  supporters  are  already  bashing  the 
Massachusetts  review  of  Open  XML. 

“OoXML  looks  backward,  while  ODF  is  an 
international  ISO  standard  and  is  forward  look¬ 
ing,”  says  Bob  Sutor,  IBM’s  vice  president  of 
open  source.  “We  look  forward  to  seeing  the 
public  discussion  in  the  Commonwealth.” 

State  governments  are  taking  a  more  mea¬ 
sured  approach. 

A  spokesman  for  California  Assemblyman 
Mark  Leno  said  the  open-document-format  bill 
he  introduced  this  year  would  be  taken  up 
again  in  the  2008  session. 

“The  bill  doesn’t  specify  formats;  it  simply 
gives  criteria  for  the  formats,”  the  spokesman 
said.  Given  the  state’s  criteria,  however,  Cali¬ 
fornia  could  reasonably  concur  with  Massa¬ 
chusetts  that  Open  XML  fits  the  criteria. 

In  Minnesota,  where  electronic  documents 
are  being  studied  by  the  state’s  IT  department, 
formats  aren’t  on  the  table  yet,  so  changes  in 
Massachusetts  could  be  relevant  once  that  dis¬ 
cussion  begins. 

“We  did  not  even  use  the  term  open-docu¬ 
ment  format,  because  we  do  not  want  to  pre¬ 
sume  an  outcome  of  the  study.  The  2008  leg¬ 
islative  session  may  review  this  issue,”  said 
Sen.  Don  Betzold  in  an  e-mail  response  to 
Network  World. 

In  crafting  the  Open  XML  proposal  in  its 
ETRM,  Massachusetts  cited  Open  XML  support 
in  Microsoft  Office  2007,  OpenOffice  Novell 
Edition,  and  NeoOffice  2.1.  The  ETRM  also 
notes  Corel’s  announced  Open  XML  support 
for  WordPerfect  2007,  and  that  Microsoft’s  Office 


Compatibility  Pack  lets  Office  2003,  XP  and 
2000  translate  documents  to  and  from  Open 
XML  Format  for  text,  presentation  and  spread¬ 
sheet  documents. 

But  adoption  of  Open  XML  in  Massachusetts 
is  not  a  done  deal. 

“Someone  could  submit  a  comment,  and  we 
could  make  a  review  of  ETRM  and  make 
changes,”  Pepoli  says.  Those  changes  could 
include  eliminating  Open  XML  in  the  final  draft. 

Massachusetts,  however,  is  migrating  to 
XML-based  document  formats  using  plug-in 
technology  while  it  considers  ways  to  serve 
people  with  disabilities  that  need  magnifiers 
not  supported  by  ODF-based  open  office 
applications  ■ 


in  Brief 

Former  Enterasys  execs  get 
prison  terms  in  fraud  case 

Four  former  executives  with  Enterasys 
Networks  have  been  sentenced  to  prison 
terms  for  their  roles  in  accounting  fraud  at 
the  company  that  cost  investors  millions  of 
dollars,  the  U.S.  Department  of  Justice 
announced  last  week. The  executives  were 
convicted  on  conspiracy  and  fraud  charges 
during  a  December  2006  trial.  At  sentencing 
hearings  in  U.S.  District  Court  for  the 
District  of  New  Hampshire,  Judge  Paul 
Barbadoro  sentenced  former  Enterasys 
CFO  Robert  J.  Gagalis  to  11-1/2  years  in 
prison.  Bruce  D.  Kay,  a  former  Enterasys 
finance  executive,  was  sentenced  to  9  1/2 
years  in  prison.  Robert  G.  Barber,  a  former 
Enterasys  business-development  executive, 
was  sentenced  to  eight  years.  Hor  Chong 
“David”  Boey,  former  finance  executive  in 
Enterasys’  Asia  Pacific  division,  was  sen¬ 
tenced  to  three  years, 

Firm  says  administrator  stole 
2.3  million  customer  records 

Fidelity  National  Information  Services,  a 
financial-processing  company,  said  last 
week  that  a  senior- level  database  adminis¬ 
trator  at  one  of  its  subsidiaries  stole  2.3 
million  consumer  records  containing  credit 
card,  bank  account  and  other  personal 
information.  "It’s  a  reminder  that  the  best 
security  systems  are  not  immune  to  rogue 
employees,”  said  Renz  Nichols,  president  of 
the  subsidiary,  Certegy  Check  Services. 

The  company  uncovered  the  actions  of 
worker,  who  was  terminated,  in  the  begin¬ 
ning  of  May,  Nichols  said. 


10  •  JULY  9,  2007  •  www.networkworld.com 


We're  secure.  We're  compliant. 
Now  we're  busting  out  the 


(Security  Helps  Us  Rake  In  More  Dollars,  Yen  And  Euros) 


Congratulations.  Your  IT  security  is  working  hard.  But  there's  something  more  it  should  do  (besides  the  protection,  compliance, 
access,  etc.).  IT  security  should  actually  make  your  business  more  efficient.  More  flexible.  More  competitive.  CA  can  help.  Our 
Security  Management  centralizes  your  identity  and  access  management  to  turn  IT  security  into  a  proactive,  business-building 
tool.  So  your  security  strengthens  customer  relationships,  grows  partnerships  and  helps  your  enterprise  address  changing 
markets  with  ninja-like  agility.  All  with  CA's  best-in-class  modularity,  scalability  and  integration.  But  don't  just  take  our  acronym 
for  it.  Download  the  white  paper,  "Security  Management:  Aligning  Security  with  Business  Opportunities,"  at  ca.com/secure. 


GOVERN  •  MANAGE  •  SECURE 


Transforming 
»  IT  Management 


NEWS  ANALYSIS 


Web  2.0  demanding  stronger  security 


At  IBM  Internet  Security  Systems,  the  compa¬ 
ny's  primary  security  research  organization  is 
called  X-Force.  Kris  Lamb,  director  of  X-Force, 
says  his  group  is  charged  with  knowing  where 
potential  threats  will  arise  and  delivering  prod¬ 
ucts,  services  and  education  to  customers. 
Lamb  recently  discussed  with  Network  World  Senior  Editor 
Denise  Dubie  the  rise  of  shrewder  cybercriminals  and  the 
threat  to  Web  2. 0. 


What  m^jor  changes  in  the  security 
industry  is  X-Force  tracking? 

Over  the  last  12  to  18  months  or  so, 
we’ve  seen  the  hard  right  turn  of  the 
criminal  underground  shifting  from  a 
notoriety-driven  motivation  to  a  very 
highly  organized  financially  driven  moti¬ 
vation.  Money  is  really  driving  what  they 
do.  All  of  the  security  vulnerabilities  or 
exploits  or  computers  they  control  rep¬ 
resent  real  dollars  to  them  given  the 
activities  they  are  using  these  resources 
for.  Before  it  was  about  notoriety,  it  was 
about  being  seen  or  noticed,  or  getting  a 
lot  of  press  coverage  by  Web  site  deface¬ 
ments  and  denial-of-service  attacks  that 
were  very  public.  Now  the  criminals 
don’t  want  to  be  detected  because 
when  they  are  detected  they  lose  con¬ 
trol  of  the  computing  resources  and 
they  are  not  able  to  engage  in  the  crimi¬ 
nal  activities,  such  as  computer  bot 
exploitation  or  malware  spreading  or 
phishing  recruitment  runs. They  lose 
those  assets  or  the  ability  to  conduct 
those  activities,  and  that  means  they  are 
losing  money. The  criminal  underground 
is  now  engaging  in  very  shrewd,  very 
guarded  sets  of  activities. 

How  does  this  motivation  shift  change 
security  threats? 

Over  the  last  12  months,  the  types  of 
threats  and  attacks  that  are  being 
exploited  and  really  being  used  in  the 
criminal  underground  are  much  more 
application-centric  and  browser-centric. 
Rather  than  the  vulnerabilities  of  old 
that  were  more  operating-system  related 
and  low  level  in  nature,  whether  it  be 
default  Windows  or  Unix  services,  these 
vulnerabilities  are  still  being  found  and 
leveraged,  but  by  and  large  the  motiva¬ 
tion  and  the  areas  of  threat  research 


going  on  among  the  criminal  under¬ 
ground  are  around  highly  repeatable, 
highly  undetectable  types  of  attacks. 
What’s  the  most  ubiquitous  activity  that 
people  are  conducting  on  the  Internet? 
That’s  Web  browsing  and  e-mail. Those 
two  are  the  No.  1  delivery  vectors.  What 

**You  can’t  just  assume 
that  because  the  source  is 
trusted  the  Web  site  is 
safe.55 

you  see  is  people  looking  at  ways  that 
they  can  reliably  utilize  those  two  appli¬ 
cation  frameworks  to  deliver  highly  tar¬ 
geted  malware  and  exploits  that  leverage 
the  browser  to  infect  computers  or  to 
steal  identities  or  engage  in  other  sorts 
of  activities  where  those  are  the  vectors 
for  attack. 

How  does  the  change  in  threats  and 
attacks  impact  potential  victims? 

It  is  a  lot  more  difficult  for  even  discern¬ 
ing  computer  enthusiasts  and  really 
advanced  users  to  guard  themselves 
against  these  kinds  of  threats.  It  becomes 
difficult  to  discern  between  what  is  a 
valid  e-mail  and  nonvalid  e-mail  or  what 
is  a  valid  Web  site  and  nonvalid  Web  site. 

Is  there  a  perception  of  security  that 
perhaps  is  unwarranted  with  some 
Web  sites? 

If  you  were  to  interview  100  people,  and 
say, “List  the  top  five  trusted  legitimate 
Web  sites,”  a  majority  would  say  MySpace 
or  YouTube,  and  ironically  enough  those 
are  two  of  the  riskier  Web  sites  that 


could  be  leveraged  for  attacks  with 
MySpace  worms  and  MySpace  spam  as 
well  as  embedded  QuickTime  malware 
and  other  media  format  malware  speci¬ 
fic  to  YouTube. 

Are  these  types  of  community  sites 
creating  a  bigger  threat  on  the 
Internet  than  users  realize? 

The  explosion  of  Web  2.0  convergence 
and  the  democratization  of  content  and 
opening  up  of  traditional  content  barri¬ 
ers  on  the  Internet  have  made  it  so  that, 
at  least  from  the  browser  perspective,  the 
distinction  [between]  what  is  safe  and 
what  is  not  safe  isn’t  an  easy  proposition. 
You  can’t  just  assume  that  because  the 
source  is  trusted  the  Web  site  is  safe. 

What  about  Web  2.0  poses  such  a  risk? 

A  year  ago  the  risk  was  much  greater, 
because  there  were  about  120  different 
Web  2.0  APIs  and  a  various  number  of 
application  frameworks  that  represent 
different  areas  that  would  need  to  be 
protected.  Now  as  the  market  has 
matured,  the  APIs  and  technologies  and 
Web  2.0  platforms  are  becoming  more 
standard  and  can  be  more  easily  pro¬ 
tected.  Last  year  Web  2.0  was  a  very  pre¬ 
carious  area  to  secure  because  there 
were  not  a  lot  of  standards  or  a  whole 
lot  of  consolidation  in  the  industry.  Now 
security  vendors  can  focus  on  a  handful 
of  mainstream  technologies  that  we  see 
are  being  adopted  most. 

Gan  you  give  some  examples? 

There  are  a  bunch  of  XML-related  threats 
that  are  similar  to  traditional  SQL  attacks 
but  targeted  at  the  XML  data  layer. 
Because  XML  is  seen  as  ubiquitous  in 
transferring  data  from  site  to  site  and  Web 
service  to  Web  service,  attackers  can  tar¬ 
get  that,  but  vendors  can  also  better 
secure  it.  As  XML  has  become  more  of  a 
standard, security  vendors  are  able  to 
deliver  solutions  that  ensure  integrity  of 
XML  data  and  ensure  XML  can’t  be 
manipulated.  Also  as  [Asynchronous 
JavaScript  +  XML]  becomes  more  main¬ 
stream  as  the  client  side  data-messaging 
system  powering  a  lot  of  Web  2.0  frame¬ 
works,  vendors  can  focus  on  protecting 
the  Java  script  and  XML  again  in  those 
environments.  Even  today  certain  network 
solutions  are  very  effective  in  securing 
Web  2.0  infrastructures  if  they  are  stateful, 
protocol-based  IPS  products.  ■ 
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Nortel  rethinks  wireless  LAN  plan 


BY  JOHN  COX 

Nortel  plans  to  deliver  its  own  set  of  802.1  In 
wireless  LAN  products  in  2008  as  part  of  a 
strategy  to  package  a  range  of  data  and  voice 
products  to  create  wholly  wireless  office  envi¬ 
ronments. 

The  company  claims  it  will  pump  a  “signifi¬ 
cant  increase”  into  R&D  to  design  and  build 
new  multiradio  access  points,  and  a  new  line 
of  WLAN  switches,  though  it’s  not  specifying 
how  much  new  investment  it  will  make.  At  the 
same  time,  Nortel  says  it  will  create  integrated 
Ethernet  switches  to  replace  its  dedicated  wire¬ 
less  switches  with  a  switch  family  that  can  han¬ 
dle  wired  and  wireless  client  traffic. 

The  decision  is  a  blow  to  Trapeze  Networks, 


BY  TIM  GREENE 

Start-up  FastSoft  is  shipping  an  appliance 
for  speeding  up  IP  WAN  links  that  requires 
customers  to  install  just  one  box  per  connec¬ 
tion  rather  than  two,  which  is  the  more  stan¬ 
dard  approach. 

With  its  newly  announced  Aria  appliance, 
the  company  says  it  can  reduce  file  transfer 
times  significantly  through  its  FastTCP  tech¬ 
nology  For  instance,  the  company  says  a  6M 
byte  file  that  took  16  minutes  to  transfer  over 
a  standard  TCP  connection  took  only  30  sec¬ 
onds  using  FastTCP 

FastTCP  is  technology  developed  at  the  Cali¬ 
fornia  Institute  of  Technology  about  four  years 
ago  to  deal  with  a  fundamental  problem  of  the 
TCP  protocol,  which  requires  an  acknowledge¬ 
ment  that  each  packet  sent  has  been  received 
before  sending  the  next.  If  the  acknowledge¬ 
ment  arrives  too  slowly  the  sending  machine 
significantly  throttles  back  its  transmission  rate, 
which  often  results  in  data  transfers  being  sent 
more  slowly  than  the  link  can  support. 

FastTCP  uses  algorithms  that  measure  the 
time  from  when  a  packet  is  sent  until  its 
acknowledgement  is  received.lt  uses  that  infor¬ 
mation  to  deduce  the  maximum  sending  rate 
the  link  can  support.lt  then  adjusts  the  sending 
rate.  FastTCP  interoperates  with  normal  TCP 

Other  vendors,  including  Blue  Coat  Systems, 
Expand  Networks,  Juniper  Networks  and  Riv¬ 
erbed  Technology,  place  a  box  at  both  ends  of 
WAN  connections  and  use  multiple  methods 
to  speed  up  traffic.These  methods  include  TCP 
optimization,  which  addresses  the  same  prob¬ 
lems  that  FastTCP  does.  But  they  also  include 
optimized  handling  of  specific  application 
protocols  and  various  forms  of  caching  so 


which  has  been  Nortel’s  wireless  equipment 
supplier  for  several  years.  Nortel  rebrands 
Trapeze  access  points  and  switches,  which 
enterprise  customers  deploy  as  an  overlay  net¬ 
work,  with  its  own  infrastructure,  security  and 
management  separate  from  the  wired  network. 
Nortel  says  it  will  continue  to  act  as  an  OEM  for 
Trapeze  until  its  own  products  are  available. 

Nortel’s  new  products  won’t  begin  to  appear 
until  the  latter  half  of  2008,  and  the  timing  and 
the  technologies  make  sense,  says  Chris  Silva, 
analyst  for  enterprise  wireless  at  Forrester 
Research.  The  draft  IEEE  802.1  In  standard, 
which  promises  WLAN  performance  of  100M 
to  200Mbps  initially  will  level  the  WLAN  play¬ 
ing  field  again,  he  says. Vendors  will  soon  start 


that  less  data  is  sent  across  the  WAN.  These 
techniques  require  matched  pairs  of  appli¬ 
ances,  one  at  each  end  of  the  connection. 

These  vendors  also  claim  similar  or  greater 
overall  performance  improvements  compared 
with  FastSoft.  Performance  of  all  their  products, 
as  well  as  FastSoft’s,  depends  on  the  quality  of 
the  connection,  delay,  packet  loss  and  the  mix 
of  traffic  crossing  the  connection.  As  a  result, 
individual  performance  varies  greatly 

FastSoft’s  Aria  device  is  suited  for  sites  where 
many  scattered  devices  connect  to  a  single 
server  or  set  of  servers  at  a  central  location  to 
download  large  files.There  is  no  opportunity  in 
these  situations  for  a  second  device  at  the  other 
end  to  support  caching  and  protocol  optimiza¬ 
tion. 

Pacific  Internet  Exchange,  a  San  Francisco 
hosting  company  beta-tested  the  gear  and 
found  it  sped  up  downloads  by  32  times,  says 
PIE’s  CEO  David  Grieshaber.  PIE  hosts  corpo¬ 
rate  Web  servers  at  its  headquarters  for 
Japanese  businesses  because  it  can  do  so  at 
50%  to  70%  off  the  price  of  hosting  in  Japan. 
This  remote  hosting  introduces  TCP  delays, 
which  FastSoft  addresses.  PIE  is  developing  a 
service  based  on  FastSoft’s  appliance. 

Grieshaber  says  he  assigned  an  engineer  in 
his  own  firm  to  duplicate  FastSoft’s  technology 
but  after  a  month  of  working  on  it  full-time,  his 
technology  produced  only  70%  of  the  perfor¬ 
mance  increase  FastSoft’s  could  supply  Fie  says 
he  looked  for  similar  competitive  products  but 
couldn’t  find  any 

Aria  comes  in  four  models:  Aria  1010, 
$10,000  to  $17,000;  Aria  1050,  $25,000  to 
$45,000;  Aria  1200,  $48,000  to  $100,000;  and 
Aria  2000,  $80,000  to  $250, 000-plus. ■ 


delivering  enterprise  wireless  gear  based  on 
Draft  2  of  the  802.1  In  standard  and  the  market 
for  current  gear  will  shrivel  in  proportion.  “No 
one  has  a  lock  on  the  1  In  market  at  this  point,” 
Silva  says. 

That  being  the  case,  Nortel’s  decision  to  take 
control  of  its  WLAN  future  makes  “good  strate¬ 
gic  sense,”  Silva  says.“Nortel  was  buying  some¬ 
one  else’s  technology  and  had  no  control  over 
that  development.” 

Currently,  Nortel  offers  the  2300  series  of 
WLAN  access  points  and  controllers  from 
Trapeze,  its  own  outdoor  WLAN  mesh  nodes, 
and  fixed  and  mobile  WiMAX  radios  that  target 
backhaul  and  longer-range  mobile  networks. 

Nortel  will  design  and  introduce  a  multi¬ 
radio  802.1  la/b/g/n  access  point  and  accom¬ 
panying  controllers, says  Kyle  Klassen,  director 
of  enterprise  wireless  marketing  for  Nortel’s 
enterprise  converged  data  networking  group. 

At  the  same  time,  software  engineers  will 
integrate  the  management  and  security  of 
these  new  products  with  Nortel’s  existing 
offerings,  so  that  enterprise  customers  will 
have  a  single  interface  from  which  to  over¬ 
see  and  secure  wired  and  wireless  networks, 
Klassen  says. 

The  next  step  will  be  to  create  truly  unified 
Ethernet  switches  that  can  handle  wired  and 
wireless  access.To  do  so,  Nortel  will  take  advan¬ 
tage  of  new  silicon,  possibly  from  chipmakers 
like  SiNett.and  software,  possibly  from  vendors 
like  NextHop  Technologies. 

Nortel  may  be  able  to  exploit  this  product 
line  in  some  unique  ways.  The  company  has 
been  active  in  contributing  technology  to  the 
WiMAX  standard.  It  can  marry  802.1  ln-based 
WLANs  at  multiple  enterprise  sites  with  wider- 
area  deployments  over  WiMAX  links,  and  inter¬ 
connect  with  municipal  or  other  Wi-Fi  mesh 
networks.  The  result  could  be  a  seamless  and 
continuous  connection  between  users  with 
mobile  voice  and  data  devices  and  their  cor¬ 
porate  networks,  Silva  says.  “Only  Motorola 
[with  its  recent  acquisition  of  WIAiN  vendor 
Symbol]  and  Nortel  have  this  capability,  and 
potentially  Cisco,”  he  says. 

An  example  of  what  might  be  possible  was 
demonstrated  earlier  this  year  at  Nortel’s 
Interop  booth:  Using  equipment  implementing 
the  IEEE  802.21  standard,  Nortel  and  several 
partners  showed  mobile  devices  and  their  data 
applications  being  handed  off  seamlessly 
between  WLAN,  wired  Ethernet  and  WiMAX 
networks  without  sessions  being  interrupted  or 
users  having  to  re-logon  to  the  network, 
Klassen  says. 

To  do  this,  new  software  has  to  be  added  to 
both  client  devices  and  infrastructure  gear, 
such  as  radios  and  controllers,  Klassen  says: 
“This  [handoff]  takes  place  at  a  lower  layer  of 
the  [software]  stack,  which  means  not  just 
voice  but  also  all  my  other  applications  can 
take  advantage  of  this  automatically’ ■ 
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NEWS  ANALYSIS 


Dissecting  Microsoft’s  VoIP  plan 

We  also  address  issues  of  VoIP  911  and  reliability 


BY  PHIL  HOCHMUTH 

VoIP  is  hot.  Gartner  predicts  that  by  2008, 
VoIP-enabled  systems  will  account  for  about 
97%  of  all  telephony  systems  sold.  But  with 
all  that  activity  comes  lots  of  questions. 
Here’s  our  take  at  answering  the  most 
pressing  ones. 

1.  Can  I  trust  Microsoft 
with  VoIP? 

There  is  plenty  of  uncer¬ 
tainty  in  the  corporate  VoIP 
arena,  as  reflected  in  a 
recent  series  of  consolida¬ 
tions  and  private-equity  buy¬ 
outs.  One  thing  users  can  be  sure  of,  though,  is 
Microsoft’s  intent  to  become  a  large  player  in 
corporate  IP  telephony  and  messaging. 

However,  some  users  and  industry  observers 
question  whether  Microsoft  server  technology 
has  the  mettle  to  handle  the  real-time  load  and 
reliability  requirements  of  corporate  telephony 
traffic  and  applications.  Others  say  the  move 
will  help  accelerate  the  use  of  converged  mes¬ 
saging  and  productivity  applications  such  as 
presence,  Web  conferencing  and  chat. 

Well  known  by  now,  the  centerpiece  of  Micro¬ 
soft’s  VoIP  bid  is  Office  Communications  Server 
(OCS)  2007,  a  real-time  collaboration  server 
that  has  elicited  much  buzz  and  controversy  in 
the  industry  for  a  product  not  even  available 
for  purchase  yet.  (The  server,  which  is  the  suc¬ 
cessor  to  Live  Communication  Server  2005,  is 
in  a  public  beta  and  is  expected  for  general 
release  later  this  year.) 

“We  believe,  over  time,  [enterprise  voice  net¬ 
works]  can  be  totally  based  on  Office  Com¬ 
munications  Server]’  said  Gurdeep  Singh  Pall, 
corporate  vice  president  of  Microsoft’s  Unified 
Communications  Group,  in  an  interview  earlier 
this  year  at  the  VoiceCon  show,  where  Microsoft 
launched  OCS  2007’s  public  beta.“For  now,  we 
also  want  to  help  customers . . .  who  are  saying, 
‘can  I  trust  my  voice  [network]  entirely  to 
Microsoft?”’ 

0GS,  under  the  hood 

As  with  any  commercial  VoIP  system,  such  as 
those  from  Avaya,  Cisco,  Nortel  and  Siemens, 
Microsoft’s  OCS  2007  relies  on  proprietary  pro¬ 
tocols  and  technologies. 

Microsoft  is  deviating  from  the  industry- 
standard  practice  of  using  ITU  codecs  for 
voice  traffic  compression  and  transmission  — 
mainly,  the  G.7 1 1 ,  G.722  and  G.729  codecs. 

“We’ve  made  several  investments  in  our  own 
audio  and  video  codecs,” says  Paul  Duffy, group 
product  manager  at  Microsoft  for  OCS  2007. 

Microsoft  says  part  of  the  value  in  its  own 
codecs  is  the  ability  to  compensate  for  con¬ 
gested  or  low-bandwidth  connections  —  such 


as  teleworkers’  dial-up  lines,  or  broadband 
links  without  QoS.  Duffy  says  the  OCS  VoIP 
codecs  include  technology  that  can  repair 
poor-quality  VoIP  transmissions.  This  is  done 
with  software  that  compensates  for  packe- 
tized  bits  that  may  be  lost  from  one  end  to  the 
other  during  a  VoIP  conversation.  The 
Microsoft  codecs,  working  with  client  soft¬ 
ware  on  either  end,  inject  sig¬ 
nals  and  tones  into  the  voice 
stream,  which  make  the  calls 
sound  better  than  standard 
VoIP  calls  made  over  jittery 
links,  the  company  says. 
Additionally  Microsoft  uses 
extensions  to  standard  Session  Initiation 
Protocol  (SIP),  which  allows  for  more  flexibili¬ 
ty  in  the  types  of  connections  that  clients  can 
make  among  each  other.  (OCS  supports  voice, 
video,  instant  messaging  and  presence  across 
an  array  of  devices,  such  as  IP  phones,  and 
Microsoft  Office  Communicator  software  on 
PCs,  cell  phones  and  PDAs.) 

OCS  will  also  require  a  separate  layer  of  serv¬ 
er  infrastructure,  called  Mediation  Servers,  in 
order  to  communicate  with  VoIP  endpoints 
using  ITU-standard  codecs  and  IETF-standard 
SIPThese  servers  act  as  translators  between  an 
OCS  2007  server  and  the  endpoints,  as  well  as 
a  gateway  between  an  OCS  server  and  other 
VoIP/public  switched  telephone  network 
(PSTN)  gateway  hardware.  Users  considering  a 
centralized  deployment  of  OCS  to  support 
remote  sites  would  have  to  install  a  Mediation 
Server  in  each  location  in  order  to  support 
standard  endpoints  and  for  making  PSTN  calls. 
Microsoft  recommends  a  full  Windows  2003 
server  (minimum  of  dual-3.2GHz  processors 
with  2GB  of  memory)  for  running  the 
Mediation  Server  software,  as  well  as  SQL 
Server  2005. 

0GS  and  the  fifth  ‘9’ 

Then  there  is  the  reliability  issue.  For  years, 
VoIP  vendors  have  moved  away  from  Micro¬ 
soft’s  Windows  Server  as  a  platform  for  hosting 
IP  PBX  applications.  Avaya,  Siemens  and  Mitel 
run  their  call  servers  on  Linux.  Nortel’s 
Communication  Server  1000  runs  on  the  real¬ 
time  VXWorks  operating  system  (used  in  mili¬ 
tary  and  NASA  applications).  3Com’sVCX  plat¬ 
form  runs  on  Sun  Solaris. 

Industry  observers  and  vendors  say  the  move 
away  from  Windows  to  other  platforms  to  host 
VoIP  was  based  on  customer  concerns  about 
the  stability  of  Windows  systems,  and  the  fre¬ 
quent  software  patching  and  updating  re¬ 
quired  on  the  servers.  Cisco’s  CallManager  IP 
PBX,  long  based  on  a  Microsoft  server,  was  port¬ 
ed  last  year  to  Linux  as  an  “appliancelike”  sys¬ 
tem,  requiring  minimal  patching  and  operating 


system  tinkering,  the  company  says.  (Cisco  still 
sells  and  supports  CallManager,  now  called 
Unified  Communications  Manager,  on 
Windows.) 

With  all  this  as  background,  some  views  are 
skeptical  about  Microsoft’s  ambitions  in  enter¬ 
prise  VoIP 

“I  can  see  it  now]’  wrote  one  Network  World 
reader  in  an  online  forum  about  Microsoft  OCS 
2007. ‘“Everyone,  please  get  off  the  phone,  we 
have  to  apply  a  bug  fix’.” 

A  major  move  Microsoft  made  a  year  ago  to 
convince  enterprises  that  it  can  handle  corpo¬ 
rate  VoIP  is  the  company’s  partnership  with 
Nortel. The  two  vendors’  Innovative  Communi¬ 
cations  Alliance  involves  shared  R&D,  market¬ 
ing,  sales  and  support  resources  over  a  four- 
year  span. 

“We’re  dedicated  to  earning  the  confidence 
of  all  customers”  when  it  comes  to  OCS  relia¬ 
bility,  said  Jeff  Raikes,  president  of  the  Microsoft 
Business  Division,  during  a  presentation  earlier 
this  year.  He  equates  Microsoft’s  entry  into 
enterprise  VoIP  with  the  company’s  emergence 
in  mission-critical  data  center  serving.  “We’re 
not  new  to  this  position  in  the  area  of  critical 
communications.”  He  pointed  out  that  the 
Nasdaq  stock  market  runs  on  Windows  and 
SQL  Server,  and  upward  of  10  million  Cisco  IP 
phones  are  tied  into  Windows  servers  running 
Cisco’s  CallManager  platform. 

“We  want  to  work  closely  with  partners  such 
as  Nortel  to  help  power  telephony  in  our  soft¬ 
ware,”  he  said. 

Users  of  Microsoft  and  Nortel  technologies 
say  this  is  a  good  development. 

“From  what  I’ve  seen,  it  should  be  positive,” 
says  Joanne  Kossuth,  CIO  at  Olin  College  of 
Engineering  in  Needham,  Mass.,  which  runs  a 
Nortel-based  VoIP  network,  and  Microsoft 
Exchange  messaging  servers. 

The  college  is  beta  testing  OCS  2007  and 
could  roll  out  services  to  the  school  next  year. 
Kossuth  says  integration  of  presence,  federated 
IM  and  conferencing  into  Microsoft  Outlook, 
with  Nortel  call  control  systems  on  the  back 
end,  will  be  easier  to  roll  out  and  manage. 

“Now  you’re  going  to  be  able  to  add  capabil¬ 
ities  without  having  to  add  new  staff  and  skill 
sets  to  handle  that  capability’ she  says.This  has 
concerned  Kossuth  as  she  has  explored  such 
applications  in  the  past. 

As  for  system  reliability,  OCS  2007  could 
only  gain  from  closer  integration  with  Nortel 
technology,  she  says. 

“In  my  work  with  Nortel,  I’ve  seen  them  as  a 
company  that  engineers  products  at  150%,” 
Kossuth  says.  “They  don’t  go  to  market  with 
something  unless  it’s  more  than  ready. 
Microsoft  doesn’t  necessarily  have  the  same 
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reputation.  So  I’m  thinking  that  there  will  be 
some  complementary  things  there. . . .  Maybe 
together,  they’ll  deliver  products  that  are 
100%.” 

2.  VoIP:  What  happens  when  I  dial  911? 

All  corporate  IP  PBX  systems  can  dial  911 
services,  but  how  much  critical  location  data 
is  transmitted  during  a  life-or-death  call 
depends  on  how  the  VoIP  network  and  LAN 
are  configured.The  issue  of  IP  soft  phones  and 
mobile  voice  over  Wi-Fi  complicates  the  issue. 

Enhanced  911  service  support  was  a  major 
stumbling  block  for  VoIP  when  it  emerged  in 
the  consumer  market  several  years  ago. 
Technical  issues,  and  some  well-publicized 
incidents  of  failed  emergency  response  from 
service  providers,  forced  the  FCC  to  step  in 
with  special  911  requirements  for  Internet 
phone  service  providers. 

Many  companies  are  still  dealing  with  91 1 
issues  and  IP  telephony  deployments,  as  many 
IT  departments  still  must  manually  track  the 
location  of  phones  in  corporate  offices.  The 
easy  portability  of  IP  phones  and  the  emer¬ 
gence  of  wireless  IP  handsets  are  challenges 
for  maintaining  an  accurate  device-location 
database  of  phone  extensions. 

Enhanced  911,  or  E911,  requires  specific 
location  information  to  be  transmitted  from  a 
phone  dialing  911  in  an  emergency  including 
building  number,  if  a  single  campus  address 
contains  multiple  buildings,  as  well  as  floor 
numbers’  directional  location  (for  example 
north ,  south,  east,  west) . 

“We  do  support  91 1  on  all  of  our  telephones 
on  our  campus,” says  Scott  Mah,  assistant  vice 
president  for  IT  infrastructure  at  the  University 
of  Washington  in  Seattle. “We  have  policies  in 
place  to  limit  end  users  from  moving  their 
phones  around,  which  helps.  But  anytime  we 
put  a  phone  into  service  we  basically  register 
that  telephone  number  and  its  corresponding 
address  with  the  database.” 

The  database  maintained  by  the  school’s  IT 
staff  is  passed  to  local  emergency  911  call 
centers,  or  Public  Safety  Answering  Points 
(PSAP),  which  links  location  information  to 
each  phone  number  in  the  school’s  system. 
This  Automatic  Location  Identification  (AL1) 
data  is  what’s  relayed  to  rescuers;  if  a  91 1  call 
is  disconnected,  emergency  responders  have 
information  on  where  to  go. 

“  [E91 1  ]  is  something  we  care  a  lot  about, 
and  it’s  something  we’ve  maintained  even 
without  IP-enabled  endpoints,”  Mah  says. 

There  are  some  ways  to  automatically 
update  ALI  information  when  IP  phones  are 
moved.  Some  of  this  involves  some  planning 
of  the  campus  network  layout.  New  protocols 
and  software  are  also  available  to  help.  Clever 
network  administrators  can  set  up  pools  of  IP 
addresses  into  subnets  that  correspond  to 
physical  locations  inside  a  building  or  cam¬ 
pus.  IP  phones  plugged  into  ports  in  these 
locations  would  automatically  be  linked  to  a 
building  number  and  floor. 

Cisco,  Enterasys,  Extreme,  Nortel  and  Foun¬ 
dry  have  their  own  proprietary  discovery  pro¬ 
tocols  for  finding  switches,  routers  and  other 
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devices  on  a  network.  But  getting  a  Cisco 
switch  to  detect,  let  alone  collect  location  data, 
on  a  Nortel  IP  phone  is  tricky  if  not  impossible. 
The  Link  Layer  Discover  Protocol-Media  End¬ 
point  Discover  (LLDP-MED)  is  a  Telecom¬ 
munications  Industry  Association  standard 
supported  by  Avaya,  Extreme  and  ProCurve  by 
HP  which  enables  LAN  switches  to  collect 
device  information  and  location  data  from  IP 
phones  (as  well  as  other  LLDP-MED-compliant 
devices, such  as  Wi-Fi  access  points)  when  net¬ 
work  connections  are  plugged  in.  But  because 
wide  adoption  of  a  standard  discovery  or  reg¬ 
istration  protocol  for  phones  is  limited,  users 
must  work  with  what  they  have. 

Technology  has  even  emerged  recently  for 
tracking  location  data  for  IP  softphone  users. 
RedSky  which  makes  E911  software  for  enter¬ 
prises  and  carriers,  recently  launched  its  Red- 
Sky  Softphone  Location  Determination  Ap¬ 
plication  (SLDA),  which  works  with  Avaya  soft¬ 
phone  clients.  The  software  lets  users  input 
location  data  during  the  logon  process  for  the 
softphone  application,  which  is  then  sent  if  91 1 
is  dialed  from  the  application. 

The  city  of  Oakland,  Calif.,  uses  a  VoIP  system 
from  ShoreTel  to  support  around  2,000  city 
employees  at  multiple  locations.  IT  and  tele¬ 
com  technicians  use  a  mix  of  automated  and 
manual  database  maintenance  to  deliver  E91 1 
ALI  data  to  emergency  responders.  Ethernet 
switches  in  the  city’s  network  use  virtual  LAN 
(VLAN)  tags  that  are  grouped  according  to 
buildings.  ShoreTel  IP  phones  can  also  corre¬ 
late  user  names  and  system  extensions  with  IP 
phone  hardware,  which  is  all  collected  in  a 
database  on  the  system.  “This  will  tell  911 
where  the  call  is  coming  from,  what  the  caller’s 
name  is,  and  what  building,”  says  Bob  Glaze, 
CTO  for  the  city  “But  to  bring  it  back  to  the 
exact  location,  we  enter  that  information  our¬ 
selves,”  into  the  ShoreTel  ALI  database,  which  is 
passed  to  local  PSAPs. 

“The  real  issue  is  that  people  typically  feel 
more  comfortable  moving  VoIP  around,  where 
as  they  didn’t  feel  like  they  could  terminate 
their  own  digital  phone  in  the  past,” says  Drew 
Depler,  Boulder  County,  Colo.,  IS  director. 

Even  though  the  county  uses  all  Cisco  switch¬ 
es,  CallManager  IP  PBXs  and  IP  phones,  a 
spreadsheet  is  used  to  update  location  data 
anytime  a  phone  is  moved.  Only  IT  staff  are 
allowed  to  physically  move  IP  phones,  Depler 
adds.“It’s  a  manual  set  that  we’ve  added  to  our 
procedures  list.” 

Depler  says  the  proliferation  of  softphones 
and  VoWi-Fi  handsets  is  starting  to  emerge  as 
another  challenge  for  E91 1  services.“That  real¬ 
ly  starts  to  become  a  cost-saving  opportunity’ 
Depler  says  of  softphones,  which  allow  county 
employees  to  work  from  home  and  cut  down 
telecom  costs.  And  in  the  future,  if  they’re  used 
widely,  softphones  could  also  eliminate  the 
need  for  more  costly  IP  desktop  handsets. 

But,  Depler  says,  this  also  raises  an  issue  for 


mobile  workers  with  softphones.“How  do  you 
track  where  they  are?  It  does  have  some 
impacts  on  911.  There  are  real  tenuous  issues 
as  we  look  at  mobility  and  we  look  at  IP 
phones  moving  anywhere.” 

3.  Is  VoIP  safe? 

VoIP  safety  is  a  broad  question  that  touches 
on  many  aspects  of  how  IP  telephony  systems 
operate  and  the  various  parts  of  the  network 
VoIP  touches,  but  according  to  one  survey  one 
thing  is  clear: VoIP  technology  isn’t  safe  enough 
for  many  businesses. 

Only  half  of  IT  executives  polled  recently  in 
a  CompTIA  study  said  they  think  security 
technology  built  into  corporate  VoIP  products 
and  services  is  solid. The  survey  (of  350  com¬ 
panies  with  500  employees  or  fewer)  showed 
that  even  wireless  technology  —  often 
maligned  for  its  security  weakness  —  was 
considered  more  secure  than  VoIP  (Sixty  per¬ 
cent  of  respondents  said  they  trusted  security 
in  Wi-Fi  gear.) 

With  VoIP  security  concerns  among  the 
respondents  in  the  CompTIA  survey  did  not 
relate  just  to  potential  attacks  on  VoIP  gear  and 
software,  but  the  affect  a  general  worm  or  virus 
outbreak  could  have  on  the  quality  of  IP  voice 
calls.  Worms  and  viruses  that  flood  corporate 
networks  with  traffic  may  cause  e-mail  delivery 
to  be  delayed,  and  slow  application  response 
times.  But  the  latency  introduced  can  kill  an  IP 
telephony  conversation. 

As  for  VoIP  products,  vulnerabilities  are  pop¬ 
ping  up  more  in  IP  telephony  gear  and  soft¬ 
ware.  Cisco,  for  instance,  over  the  last  18 
months  issued  nine  major  vulnerability  advi¬ 
sories  on  products  ranging  from  IP  phones  and 
IP  PBXs,  to  routers  that  perform  VoIP  processes 
and  functions.These  nine  warnings  —  serious 
enough  for  the  vendor  to  issue  software  patch¬ 
es  —  compares  with  the  two  VoIP-related  vul¬ 
nerabilities  Cisco  had  issued  in  the  18  months 
prior  (July  2005  to  January  2006). 

Many  vendors’  IP  call-processing  and  mes¬ 
saging  products  run  on  top  of  Linux,  Windows, 
Sun  or  other  server  operating  systems.  Soft¬ 
phones  generally  run  on  Windows  desktops, 
while  applications  such  as  VoIP-based  call  cen¬ 
ter  platforms  can  touch  a  wide  array  of  other 
applications.Taking  all  this  into  account, Avaya 
had  25  product  security  advisories  relating 
directly  to  its  VoIP  products  or  affecting  under¬ 
lying  software  products  on  which  Avaya’s  tech¬ 
nology  runs,  according  to  security  research 
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Web  site  Secunia.  The  Internet  Security 
Systems  X-Force  vulnerability  database  has 
more  than  100  entries  over  the  past  five  years 
relating  to  vulnerability  reports  in  VoIP  prod¬ 
ucts,  applications  and  underlying  protocols. 

Some  security  researchers  say  the  basic  tech¬ 
nology  of  some  VoIP  protocols  is  by  nature 
hackable  or  susceptible  to  denial-of-service  or 
call-interception  attacks. 

Sheran  Gunasekera,a  researcher  with  Scanit, 
wrote  in  a  report  that  VoIP  call  interception  can 
be  simple  if  targeted  against  equipment  and 
traffic  using  nonencrypted,  standards-based 
protocols.  Scanit  says  tests  it  conducted  used 
standard  SIP  signaling  protocol  and  Real  Time 
Protocol  (RTP)  for  media  transmission. 

Against  SIP-based  VoIP  conversations  “signal¬ 
ing  attacks  can  be  used  to  eavesdrop  on  con¬ 
versations  and  reroute  or  hijack  calls,”  Guna- 
sekera  writes.  “It  is  extremely  easy  to  replay  or 
resend  SIP  messages”  to  SIP-based  call  control 
gear  in  order  to  add  participants  to  a  SIP  call  or 
reroute  the  traffic. 

Additionally  “media  stream  attacks  are  as 
easy  to  perform  in  a  typical  VoIP  implementa¬ 
tion, ’’Gunasekera  writes.'Any  RTP  streams  inter¬ 
cepted  by  an  attacker  can  easily  be  decoded 
with  the  relevant  audio  codec  and  the  actual 
voice  call  can  be  recorded  or  listened  to.” 

Other  VoIP  threats  on  the  horizon  include  the 
emergence  of  maliciously  designed  VoIP  audio 
codecs.  Theoretically  these  so-called  evil  co¬ 
decs  are  a  VoIP  audio  stream  designed  specifi¬ 
cally  to  crash  a  VoIP  endpoint  or  server.  VoIP 
industry  pioneer  Henry  Sinnreich.who  helped 
develop  early  implementations  of  SIP  while  at 
carrier  MCI,  said  at  a  recent  trade  show  that 
researchers  are  already  demonstrating  such 
attacks  are  possible. 

“Eavesdropping  is  one  example  of  an  over¬ 
hyped  threat,”  said  Lawrence  Orans,  a  Gartner 
researcher,  in  a  previous  interview.  “It’s  tech¬ 
nically  possible  to  execute  a  man-in-the-mid- 
dle  attack  and  capture  packets.The  reason  that 
we  hear  so  much  about  eavesdropping  is  that 
it  really  does  illicit  this  visceral  reaction.  The 
main  thing  is  to  focus  on  the  greater  threats,  for 
example  attacking  an  IP  PBX  server  itself.” 

“It  is  possible  to  have  a  secure  VoIP  deploy¬ 
ment  if  you  follow  best  practices,”  said  David 
Endler,  chairman  and  founder  of  the  VoIP 
Security  Alliance  (VoIPSA)  and  director  of  se¬ 
curity  research  forTippingPbint,  in  a  previous 
interview.  “All  of  these  systems  are  securable, 
but  they  do  take  some  knowledge  to  get  them 
to  that  point.”  Using  encryption  on  VoIP  sig¬ 
naling  (SIP  and  H.323)  and  payload  streams 
(RTP  and  UDP  typically)  are  some  approach¬ 
es.  Ensuring  IP  PBX  servers  are  patched  and 
configured  properly  and  restricting  the  types 
of  traffic  that  can  contact  IP  endpoints,  are 
other  measures. 

Orans  agrees  that  IT  security  best  practices 
can  cover  most  common  threats  to  a  VoIP  net¬ 
work.  “Enterprises  that  diligently  use  security 
best  practices  to  protect  their  IP  telephony 
servers  should  not  let  [VoIP]  threats  derail  their 
plans,”  he  writes  in  a  report.  ■ 
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TECH  UPDATE 

An  inside  look  at  technologies  and  standards 

Cooperative  optimization 


BY  FRANK  LYONNET 

In  modern  MPLS  networks  with  any-to-any  connectivity  competition  for 
network  resources  is  fierce,  not  only  among  applications  and  users 
within  each  site  but  also  among  sites  themselves.  As  a  result,  the  chal¬ 
lenge  of  providing  critical  application-performance  guarantees  is  growing 
ever  more  daunting. 


Today  a  service-provider  class  of  service  is 
often  used  in  MPLS  networks  to  address  critical 
application-performance  issues.  While  this 
technology  ensures  consistent  performance 
inside  the  MPLS  cloud,  it  cannot  adequately 
handle  the  competition  among  users  and 
applications  to  access  the  cloud. 

For  that  reason  many  enterprises  implement 
application  traffic-management  technologies 
over  their  MPLS  networks  to  attain  a  more  flex¬ 
ible,  per-flow  management  of  the  traffic.  These 
implementations  are  cost-effective  only  in  hub- 
and-spoke  networks. 

Cooperative  optimization  is  a  new  technolo¬ 
gy  that  addresses  the  cost  and  complexity  of 
traffic  management  over  large  distributed  net¬ 
works  with  any-to-any  connectivity  It  can  han¬ 
dle  competition  among  users  and  applications 
while  optimizing  use  of  resources  without 
installing  devices  in  each  branch. 

Cooperative  optimization  relies  on  a  system 
rather  than  a  box  approach  to  traffic  manage¬ 
ment.  In  this  architecture,  devices  constantly 
exchange  information  about  what  they  see 
using  a  dedicated  communications  protocol. 
The  cooperating  devices  gather  statistics  about 
the  demand  for  resources  coming  from  users, 
what  “supply”  or  traffic  handling  is  needed  to 
deliver  a  good  quality  of  experience  to  them 
and  what  the  network  is  capable  of  delivering 
—  end  to  end  —  at  any  given  time. 

Based  on  sharing  the  joint  view  of  these  sta¬ 
tistics  from  multiple  devices,  cooperative  opti¬ 
mization  computes  the  optimal  traffic-manage¬ 
ment  parameters  for  each  device. 

The  strength  of  this  approach  is  it  controls  the 
behavior  of  each  traffic  flow  at  the  source  and 
optimizes  the  destination  site’s  resources  using 
global  information  regarding  competition 
among  sites  —  which  is  a  necessity  for  achiev¬ 
ing  consistently  good  application  performance 
in  any-to-any  topologies. 

To  understand  how  this  works,  consider  a 
large  international  car-rental  company  with  a 
non-hub-and-spoke,  multiple-star  topology  The 
company  has  1,500  rental  “branches”  (from 
large  offices  to  kiosks),  two  main  data  centers 
and  13  regional  data  centers. 

The  most  critical  application  supports  the 
rental  process  and  is  hosted  at  the  main  data 
center  and  is  accessed  by  all  of  the  locations. 


Several  other  important  applications  compete 
with  it  for  resources,  including  e-mail  traffic 
from  the  regional  data  centers. 

One  traffic  problem  occurs  when  a  rental 
branch  location  accesses  the  rental  applica¬ 
tion  at  the  main  data  center  over  the  WAN 
while  email  is  trying  to  synchronize  with  a 
regional  data  center. The  resulting  competition 
between  application  flows  creates  congestion 
at  the  branch  router  and  impairs  the  perfor¬ 
mance  of  the  rental  application. 

Although  such  competition  can  be  handled 
with  a  per-flow  traffic-management  device  in 
the  branch  (as  long  as  the  traffic  from  the  main 
and  regional  data  centers  do  not  contain  non- 
TCP  traffic),  controlling  it  on  the  destination 
side  is  not  optimal. 

Through  global  management  of  the  network 
traffic  the  congestion  in  the  branch  router  can 
be  avoided,  even  without  a  device  in  the 
branch.  The  cooperating  devices  in  main  and 
regional  data  centers  exchange  information  in 


real  time  about  the  flows  they  are  controlling, 
and  from  that  they  detect  that  they  are  both 
sending  traffic  toward  the  branch. 

They  dynamically  compute  the  bandwidth 
that  should  be  given  to  each  user  session  going 
to  the  branch  based  on  their  shared  knowl¬ 
edge  of  the  traffic  mix  and  of  the  resources 
available.  They  thus  effectively  prevent  conges¬ 
tion  in  the  destination  router  by  controlling  the 
traffic  at  the  source  before  it  ever  enters  the 
cloud  in  the  first  place. 

As  this  example  demonstrates,  cooperative- 
optimization  technology  can  dramatically  re¬ 
duce  the  costs  and  the  complexity  of  applica¬ 
tion  traffic  management  over  large  distributed 
networks  by  removing  the  need  for  appliances 
in  branches.  It  also  reduces  ongoing  manage¬ 
ment  costs  because  it  enables  the  system  to  be 
configured  and  controlled  from  a  single  point 
rather  than  device  by  device. 

Finally  cooperation  lets  the  system  respond 
dynamically  to  the  ever-changing  user  demand 
on  the  WAN  so  that  traffic  flows  are  automati¬ 
cally  kept  optimal  from  an  application  perfor¬ 
mance  perspective.  That  is  why  this  technolo¬ 
gy  is  emerging  as  the  preferred  platform  for 
delivering  application-based  QoS  in  large 
enterprise  networks. 

Lyonnet  is  director  of  product  management 
at  Ipanema  Technologies  and  can  be  reached 
at  lyonnet@ipanematech.com. 


Stopping  congestion  before  it  occurs 

Cooperative  optimization  obviates  the  need  for  branch-office  appliances  by 
centralizing  control  in  data  centers. 

A  rental  car  branch  trying  to  access  the  rental  application  over  the  WAN,  for  example, 
could  be  disrupted  if  e-mail  tries  to  synchronize  with  a  regional  data  center  at  the 
same  time,  creating  congestion  at  the  branch  router. 
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By  enabling  data  centers  to  exchange 
information  about  traffic  flows  and 
dynamically  compute  the  bandwidth 
needed,  congestion  at  the  destination 
router  is  avoided. 
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.DAY  25:  Our  ad  hoc  security  solutions  are  not  enough.  We 
can’t  handle  new  threats.  We’re  always  playing  catch-up. 
We’re  leaving  ourselves  vulnerable  and  exposed. 
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.Gil’s  had  a  security  epiphany:  high-powered  lasers. 
They’re  everywhere.  I  keep  zapping  myself  as  I  type. 

.DAY  26:  I’m  taking  back  control  with  a  security 
solution  from  IBM.  Their  security  service  experts  can 
help  us  assess  our  needs.  IBM  Tivoli®  helps  us  monitor 
and  respond  to  threats  while  managing  access  to  our 
information.  And  the  IBM  System  z™’s  encryption  and 
multilevel  security  features  are  legendary. 


IBM.COM/TAKEBACKCONTROL/SECURITY 


IBM,  the  IBM  logo,  System  z  and  Tivoli  are  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©2007  IBM  Corporation.  All  rights  reserved 


An  invisible  abomination 


Once  upon  a  time  ISPs  just  transported 
packets  of  information  from  place  to 
place  without  looking  at  them  other  than 
to  find  out  where  they  should  go.  Of  course, 
that  could  not  last.  Now  a  company  is  selling 
ISPs  a  device  designed  to  spy  on  customer 
traffic,  track  preferences  and  insert  specially 
selected  ads  during  Web  surfing. 

Start-up  NebuAd  seems  to  be  trying  to  put 
all  ISP-related,  bad  network-behavior  into  a 
single  box.  It  is  trying  to  sell  a  device  that, 
according  to  its  Web  page,  will  “analyze  and 
act  on  consumer  behavior”  in  order  to  develop  a  “keen  insight  into  a 
consumer’s  dynamic,  web-wide  behavior’’  Basically,  the  device  spies 
on  traffic  to  try  to  determine  the  “demographics,  geography,  lifestyle 
and  interests”  of  individual  customers  (see  www.nwdocfinder.com 
/9432  for  NebuAd’s  Fair  Eagle  division  Web  site). The  box  then  can 
insert  ads  into  the  data  stream  the  customer  is  receiving  back  from  a 
Web  site.This  is  done  without  the  knowledge  or  permission  of  the 
customer  or  the  Web-site  owner.  Predictably,  just  like  the  data  brokers 
who  sell  your  every  secret  to  the  lowest  bidder,  NebuAd  tries  to  claim 
that  this  is  in  the  best  interest  of  the  consumer.  Also  note  that  the 
company  could  be  subpoenaed  for  any  spying  it  might  have  done  on 
traffic  to  or  from  your  IP  address. 

My  reaction  on  reading  about  this  device  was  one  of  disgust  —  it’s 
as  if  one  were  to  take  the  entire  swamp  of  bad  things  an  ISP  could  do 
and  boil  it  down  to  get  concentrated  slime.  NebuAd  does  claim  it 
doesn’t  collect  or  use  any  personally  identifiable  information,  but, 
based  on  experiences  such  as  AOL’s  data  release  —  thanks  for  noth¬ 
ing,  AOL  (see  www.nwdocfinder.com/9430)  —  if  one  collects  the 
kind  of  information  NebuAd  seems  to  be,  it  is  easy  to  figure  out 
whom  you  are  looking  at  in  far  too  many  cases. 

In  addition,  even  if  the  company  might  not  be  collecting  personally 
identifiable  information  today  it  is  hard  to  trust  that  a  company  offer¬ 
ing  such  an  invasive  product  would  not  hesitate  to  change  its  tune  if 


it  thought  there  was  a  buck  in  it  somewhere.  It  may  give  a  hint  to  the 
company’s  mind-set  if  you  understand  that“nebu”is  the  Egyptian 
hieroglyph  for  gold. 

Some  of  this  is  far  from  a  new  idea. The  idea  of  developing  technol¬ 
ogy  to  enable  ISPs  to  insert  or  replace  ads  surreptitiously  when  their 
customers  surf  the  Web  came  up  in  the  IETF  more  than  six  years  ago. 
The  Internet  Architecture  Board  carefully  considered  the  policy  and 
architectural  aspects  of  the  idea  and  published  RFC  3238 
“Architectural  and  Policy  Considerations  for  Open  Pluggable  Edge 
Services”  (see  www.nwdocfinder.com/9431). This  document, among 
many  other  things,  said  that  any  deployment  of  such  technology  must 
be  enabled  only  if  the  user  or  the  Web  site  operator  agreed.  NebuAd 
is  ignoring  that  guidance. 

At  least  one  Texas-based  ISP  has  tried  this  device  without  letting  its 
users  know.  If  you  were  a  customer  of  that  ISP  and  you  surfed  my  ad- 
free  Web  site,  you  might  see  ads  and  assume  I  had  sold  out.  In  that 
way,  NebuAd  would  be  directly  harming  me. 

NebuAd  says  that  individuals  can  opt  out  unless  they  are  using  a 
Wi-Fi  ISPIf  someone  does  opt  out,  NebuAd  will  place  a  cookie  (from 
the  Fair  Eagle  site)  on  the  user’s  machine  that  it  claims  will  block  the 
data  gathering  and  ad  placement. That  will  not  work  for  anyone  who 
does  not  know  about  the  “service”  or  who  removes  cookies  from  their 
machine  regularly  —  as  I  do. 

In  my  opinion,  any  ISP  that  secretly  deploys  such  a  device  should 
be  outed,  shunned,  then  sued  for  theft  by  every  Web  site  operator 
that  has  an  ad  overwritten  or  added.  When  you  do  so  please  add 
NebuAd  to  the  suit  for  contributory  sliminess.  I  hope  there  is  still 
enough  venture-capital  money  left  to  attract  the  right  kind  of 
lawyers. 

Disclaimer:  Harvard  trains  all  kinds  of  lawyers,  but  I  did  not  ask  any 
of  them  for  their  opinion  of  the  value  of  these  targets. Thus,  the  above 
is  my  own  slime  exploration. 

Bradner  is  Harvard  University's  Technology  Security  Officer.  He  can  be 
reached  at  sob@sobco.com. 


NET  INSIDER 

Scott  Bradner 


E-discovery  and  records  retention 


At  almost  every  conference  I  go  to, I  get 
asked, “How  long  should  I  keep  docu¬ 
ments,  e-mail  and  other  records?” 
Document  retention  is  one  of  the  leading  dri¬ 
vers  of  the  growth  of  storage.  Most  companies 
are  facing  storage  growth  that  exceeds  20%  a 
year.  And  although  disk  is  getting  cheaper,  stor¬ 
age  administrators  are  getting  more  expensive. 
So  how  do  we  balance  the  needs  of  regulatory 
compliance  and  litigation  with  the  rising  cost 
of  retaining  electronic  records?  You  won’t  like 
the  answer,  but  it  seems  that  the  best  approach 
is  to  try  to  retain  documents  forever. 

When  I  asked  participants  at  a  recent  security-research  benchmark 
what  their  retention  policies  were,  more  than  a  quarter  said  they  keep 
records  forever.  Why?  These  folks  decided  the  risks  of  not  having  infor¬ 
mation  that  might  someday  be  asked  for  in  court  outweighed  the  costs 
of  retaining  data  permanently  —  a  perspective  that’s  increasingly  valid. 
Another  quarter  said, “it  varies.”  In  this  case,  the  time  frame  varied 
according  to  the  kind  of  information  being  retained.  Sometimes  the 
time  frame  was  based  on  legal  requirements  and  sometimes  it  wasn’t; 
and  in  some  cases  time  frames  were  reviewed  regularly  but  most 
weren’t. The  remaining  participants  retained  records  for  various  fixed 
periods,  typically  seven  to  10  years,  or  as  long  as  the  law  required  (and 
often  a  few  years  more). 

Outside  of  such  heavily  regulated  industries  as  financial  services,  the 


main  driver  for  retention  is  litigation.  Electronic-discovery  rules,  recent¬ 
ly  updated  by  the  federal  courts,  require  companies  to  take  reasonable 
measures  to  produce  electronic  records  deemed  relevant  to  litigation. 
Many  executives  have  decided  that  deleting  records  regularly  might  be 
a  better  approach:  Less  to  find  means  less  costly  discovery  and  fewer 
surprises.  I  see  two  problems  with  that  approach. 

First,  the  other  party  in  the  litigation  may  end  up  with  better  evidence 
because  you  have  destroyed  all  of  yours.  Imagine  a  lawsuit,  for  exam¬ 
ple,  where  one  party  has  retained  all  the  evidence  that  supports  its 
position,  while  the  other  has  destroyed  all  evidence  —  including  that 
which  could  be  used  as  a  defense!  Second,  companies  with  short-term 
retention  policies  have  to  enforce  them  through  deliberate  and  consis¬ 
tent  record-destruction.  If  records  linger  past  the  official  retention  peri¬ 
od^  company  could  find  discovery  even  more  costly  Judges  could 
frown  on  a  company  that  has  claimed  everything  is  destroyed,  only  to 
have  partial  evidence  surface  after  it  has  searched  more  carefully 

So,  while  forever  is  an  awfully  long  time,  with  carefully  planned  and 
executed  information  life-cycle  policies,  companies  can  extend  reten¬ 
tion  periods  indefinitely.  Many  of  the  largest  enterprises  have  decided 
this  is  the  best  practice  in  the  face  of  litigation.  Unless  you  can  guaran¬ 
tee  absolutely  that  all  information  is  deleted  when  it  should  be,  go  for  a 
long  or  indefinite  retention  period. 

Antonopoulos  is  a  senior  vice  president  and  founding  partner  at 
Nemertes  Research,  an  independent  technology  research  firm.  He  can 
be  reached  at  andreas@nemertes.com. 


RISK  &  REWARD 

Andreas  Antonopoulos 
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_DAY  74:  We’re  stuck  dealing  with  multiple  interfaces 
and  apps.  We  can’t  find  the  relevant  info  we  need. 

I  feel  like  it  takes  six  of  us  to  do  one  person’s  job. 

_Six  Gils?  They  better  not  all  have  to  sign  my  time  sheet. 

_DAY  76:  I’m  freeing  everyone  up  with  IBM  WebSphere® 
Portal.  It’s  the  fastest  and  easiest  way  to  integrate 
everything  for  seamless  access  to  our  info.  It  gives 
each  of  us  a  single,  customizable  interface.  And 
running  it  on  a  System  p™  with  virtualization  technology 
saves  us  time  and  energy. 

.Back  to  one  Gil.  There’s  so  much  less  of  him  to  love  now. 


WebSphere. 
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Biggest  enterprise  lie: 
The  network  is  down’ 
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BY  BERNIE  LUBITZ 

This  article  was  contri¬ 
buted  by  a  reader.  If  you 
have  an  opinion  or  technol¬ 
ogy  experience  you  would 
like  to  share ,  contact  Online 
Community  Editor  Julie  Bort 
Qbort@nww.  com). 


Enterprise  network  pro¬ 
fessionals  take  note:  If  you  are  considering 
doubling  the  size  of  your  flexible-spending 
medical  account  to  buy  more  Ibu- 
profen, antacid  and  sleep  aids,  I’ve  got 
news  for  you.  None  of  these  is  a  cure 
for  the  curdled  stomach  and  throb¬ 
bing  head  caused  by  this  dreaded 
message:  “The  network  is  down.” 
Knowing  that  the  message  is  not  true 
99.9x%  of  the  time  is  not  the  cure 
either. 

As  the  director  responsible  for  the 
enterprise  network  of  a  midsize  healthcare  or¬ 
ganization,  I  can  sympathize.  Our  telecommu¬ 
nication  technology  department  services  a 
converged  network  for  data,  voice,  video  and 
physical  security  access  control. The  network 
spans  25  buildings  in  a  40-mile  circumference 
linked  over  private  fiber.  During  the  hurricane 
seasons  of  2005  and  2006,  our  small  town  took 
three  direct  hits.  But  we  experienced  no  loss 
of  network  services. 

Our  network  is  completing  the  fourth  major 
upgrade  in  15  years.  Yes,  we  have  more  sites 
and  more  users,  but  that’s  not  the  only  reason 
driving  us  to  move  from  10M  to  lOG.We  also 
are  upgrading  because  inefficient  applica¬ 
tions  have  helped  create  a  fivefold  increase  in 
chatty  broadcast  traffic, which  now  comprises 
25%  of  all  network  traffic.  While  network 
devices  have  become  more  efficient  at  pro¬ 
cessing  packets,  applications  and  operating 
systems  have  not. 

Now,  1  ask:  Should  network  departments 
continue  to  increase  bandwidth  or  take  on 
network  application  optimization  to  compen¬ 
sate  for  poorly  written  code?  I  believe  the  best 
solution  is  for  IT  departments  to  demand  that 
developers  of  operating  systems,  applications, 
hosts  and  end  devices  provide  more  efficient 
products. 

With  the  move  to  Intel-based  server/hosts 
and  personal  computers,  somehow  the  net¬ 
work  got  stuck  with  the  expectation  of  com¬ 
pensating  for  Microsoft’s  operating  systems. 
The  MS  OS  is  used  in  the  mainstream  while 
bugs  continue  to  be  found  and  patched. 
Before  the  fix  process  is  complete,  a  new  OS 
release  will  force  the  process  to  begin  again. 
Is  there  any  enterprise  network  that  has  not 
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been  down  because  of  a  DOS  attack  propa¬ 
gated  by  poorly  patched  PCs  or  servers?  A 
manufacturer  of  network  equipment  would 
not  survive  with  a  level  of  bug  patching  equal 
to  Microsoft’s. 

But  when  a  customer  cannot  make  a  phone 
call,  connect  to  a  server,  access  a  database, 
send  a  document  to  a  printer  or  browse  a 
Web  site,  in  the  user’s  mind,  “the  network  is 
down.”  The  true  cause  more  often  than  not 
had  nothing  to  do  with  network  failure.  AVoIP 
phone  may  have  lost  a  file  and  cannot 
authenticate,  a  specific  server  on  the 
intranet  could  have  been  down,  or  the 
Web  site  that  was  browsed  was  not 
available.  No  matter.  As  users  see  it, “the 
network  is  down.” 

We,  the  keepers  of  the  network,  know 
for  a  fact  that  network  availability  is 
consistently  99.9X%,  meaning  that 
only  a  few  thousandths  of  a  percent  of 
the  time  is  the  physical  network  at 
fault  when  a  user  experiences  trouble.  Gigabit 
Ethernet  switching  runs  on  redundant  equip¬ 
ment  and  redundant  fiber;  network-manage¬ 
ment  systems  monitor  traffic  in  real  time;  net¬ 
work  analyzers,  network-access  control  and 
intelligent-network  event  logs  continue  to 
enhance  reliable  network  service. 

But  all  these  improvements  have  done  little 
to  improve  customer  perception.  So  maybe 
network  support  groups  are  doing  something 
else  wrong.  Somehow  we  have  not  communi¬ 
cated  clearly  and  educated  our  users.  I  submit 
to  you  that  the  enterprise  network  is  the  vic¬ 
tim  of  poor  public  relations.  Much  of  the  bad 
PR  comes  from  other  disciplines  within  IT. 
Some  bad  PR  originates  from  the  public  and 
industry  news  media.  Yet  often,  we  are  our 
own  worst  enemy.  Network  guys  are  not 
known  for  their  participation  in  corporate 
politics  or  their  savvy  PR  skills. 

That  needs  to  change.  Enterprise  network 
professionals  need  to  make  an  all-out  effort  to 
let  people  know  the  network  is  not  down.  We 
need  to  use  easy-to-understand  explanations 
of  the  services  we  provide,  the  challenges 
encountered  and  the  solutions  in  place  that 
nullify  those  challenges.  We  need  to  help  our 
users  see  how  well  we  balance  financial 
expenditure  to  create  an  efficient, reliable  net¬ 
work.  We  need  to  talk  on  a  regular  basis  with 
our  corporate  executives  and  our  users  to 
instill  confidence  in  our  work.  Network  pro¬ 
fessionals  need  to  talk  the  talk,  not  just  walk 
the  walk. 


Lubitz  is  the  director  of  telecommunications 
technology  for  Martin  Memorial  Health 
Systems,  Stuart,  Fla. 
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.INFRASTRUCTURE  LOG 

_DAY  68:  Our  IT  environment  is  completely  rigid!  We 
can’t  align  IT  to  meet  the  larger  business  needs.  I  told 
Gil  we  need  an  SOA  so  we  can  be  proactive  for  once. 


_Gil  brought  in  contractors  and  made  the  entire  office 
“modular”  and  “flexible.”  Gil,  I  am  not  a  hamster. 


_DAY  70:  This  should  free  us  up:  IBM  SOA  solutions  built 
with  IBM  WebSphere?  Now  we  have  the  hardware,  software 
and  services  for  a  flexible  IT  infrastructure.  IBM 
has  helped  3,600  companies  implement  an  SOA.  And  getting 
started  was  easy.  Now  our  business  is  built  for  change. 

_I  don’t  have  to  crawl  with  my  coffee  anymore.  It’s  great. 


NEWS  ANALYSIS 


Security 

continued  from  page  1 

vice  president  and  founding  partner  of 
Nemertes  Research  (see  www.nwdocfinder. 
com/9426). 

“The  job  of  the  CIO  is  to  maximize  return  on 
investment,  which  by  definition  requires  tak¬ 
ing  risk,”  Antonopoulos  says. “The  job  of  the 
CSO  is  to  maximize  the  amount  of  risk  a  com¬ 
pany  can  take  safely  without  going  over  the 
company’s  [preferred  level  of]  risk  tolerance.” 

When  CSOs  see  too  much  risk  being  taken, 
“they  can’t  report  to  the  person  who’s  creating 
risk,”  he  says.“The  thing  is,  it’s  the  job  of  the  CIO 
to  create  risk.  That’s  what  innovation  is.” 

Fundamental  conflict 

Even  CIOs  and  CSOs  who  report  having  ami¬ 
cable  relationships  with  their  security  or  tech¬ 
nology  counterpart  acknowledge  there  is  a 
fundamental  conflict  between  the  roles. 

“The  goal  of  the  CIO  is  to  get  the  application 
deployed  today/’ says  Joseph  Granneman,  chief 
technology  and  security  officer  for  Rockford 
Memorial  Hospital  in  Illinois.  “When  you  add 
security  analysis  to  the  front  end  of  a  project, 
sometimes  it  can  delay  it.  Or  if  you  do  find 
security  risks,  that’s  not  good  news  for  the  CIO.” 

Granneman,  who  reports  to  his  CIO, says  they 
have  developed  a  strong  working  relationship 
over  the  past  decade.  CSOs  must  accept  that 
businesses  are  in  the  business  of  accepting 
risk,  Granneman  says.  Compromise  is  essen¬ 
tial.  “There’s  always  a  way  to  get  them  what 
they  need  to  make  the  business  run,”  he  says. 
“That’s  what  you’re  really  there  for.  You’re  not 
there  to  say ‘no.’You’re  there  to  say ‘no,  but’.” 

At  the  Caregroup  Healthcare  System  in 
Boston,  CIO  John  Halamka  says  the  CSO  — 
who  reports  to  him  —  would  prefer  to  have 
very  few  Web  sites  available  on  the  Internet. 
Before  making  data  available  on  the  Web,  Ha¬ 
lamka  says  he  and  the  CSO  evaluate  the 
potential  risk  and  classify  it  into  one  of  four 
categories,  which  range  from  no  risk  at  all  to 
a  risk  that  could  compromise  many  patient 
records. 

“We  do  a  risk  assessment  of  each  Web  site  . . . 
and  then  engineer  a  security  solution  that  is 


THE  SECURITY  STANDARD'; 

The  Fairmont  Hotel,  September  10  - 11,  2007,  Chicago,  IL 

The  skinny  on  The  Security  Standard 

What:  An  IDG  Executive  Forum  that 
takes  a  fresh,  holistic  approach  to 
understanding  what  it  takes  to  deliver 
an  effective  enterprise  security  strategy. 
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Register  online  at: 
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**The  chief 
security  officer, 
by  definition  of 
their  job,  would 
like  things  to  be 
more  stringent 
than  a  CIO  would  practically 
allow.55 

Mark  Hoit 

Interim  CIO  and  professor  of  civil  and 
coastal  engineering,  University  of  Florida 

appropriate  for  the  level  of  protection  needed. 
The  balance  between  ease  of  use  and  the 
need  for  security  is  ensured  using  this  objec¬ 
tive  approach,”  Halamka  writes  in  an  e-mail. 

The  University  of  Florida’s  Hoit  acknowl¬ 
edges  that  having  the  security  officer  report  to 
the  CIO  makes  life  simpler  —  for  the  CIO.  “It 
makes  it  a  little  easier:  he  says. 

Ruling  with  an  iron  fist,  however,  isn’t  the 
right  approach,  Hoit  says, and  it  wouldn’t  work 
at  the  university  Big  decisions  involve  a  gover¬ 
nance  committee  consisting  of  IT  staff  from 
each  school  —  and  then  they  must  be  consid¬ 
ered  by  a  faculty  committee,  deans,  adminis¬ 
trators  and  a  faculty  senate. 

The  university  is  trying  to  find  a  proper  way 
to  ensure  the  security  of  student  data,  as  fed¬ 
eral  law  requires,  while  giving  professors  easy 
access  to  files  they  need  for  grading.“Open, 
transparent  conversation” involving  input  from 
multiple  parties  is  the  key  to  finding  a  good 
compromise,  Hoit  says. 

Beyond  securing  applications  and  the  per¬ 
sonal  information  of  customers  and  employ¬ 
ees,  businesses  must  comply  with  regulatory 
standards,  such  as  the  Sarbanes-Oxley  Act,  the 
Payment  Card  Industry  data  security  standard 
and  the  Health  Insurance  Portability  and  Ac¬ 
countability  Act. 

CSO  do’s,  don’ts 

Antonopoulos  argues  that  when  a  CSO  must 
report  to  a  CIO,  the  business  is  more  likely  to 
pursue  too-risky  technologies  and  skirt  the 
edges  of  compliance. 

“The  CSO  should  have  the  equivalent  pow¬ 
ers  you  would  give  to  an  auditor  or  audit 
department  and  should  report,  ideally,  to  the 
board,”  Antonopoulos  says.  “That’s  actually 
higher  than  a  CIO,  quite  frankly. . .  .We  believe 
the  CSO  should  be  an  officer  of  the  com¬ 
pany  His  duty  should  lie  with  the  sharehold¬ 
ers.  The  CSO  is  controlling  the  risk  of  the 
company  so  as  not  to  expose  the  sharehold¬ 
ers  to  the  most  risk.” 

The  CSO  also  should  not  be  allowed  to  take 
only  risk  into  consideration,  he  says.  The  best 
way  to  avoid  risk,  he  notes,  is  to  close  a  busi¬ 
ness  entirely.  Antonopoulos  recommends 
tying  the  financial  compensation  of  security 


officers  to  their  ability  to  balance  risk  and 
innovation. 

The  location  of  the  CSO  in  an  organization  is 
what  “largely  impacts  the  dialogue  and  poten¬ 
tial  conflicts  you  have,”  says  Lloyd  Hession, 
CSO  of  BT  Radianz  in  New  York  City  Hession 
reports  to  his  CEO,  making  the  CIO  his  peer,  he 
says.  This  has  pros  and  cons,  he  notes.  Being 
outside  the  technology  group,  Hession  must 
make  a  concerted  effort  to  understand  the 
needs  of  IT.  But  it  also  gives  him  a  better  view 
of  what  is  happening  in  the  business  at  large, 
he  says. 

“You  self-police  yourself  to  the  point  where 
you  only  try  to  achieve  what  you  know  makes 
sense  for  the  business,”  he  says. 

Hession  says  he  also  faces  additional  pres¬ 
sure  to  reach  agreements  with  department 
heads  because  nobody  wants  to  waste  the 
CEO’s  time  with  an  unresolved  conflict. 

To  whom  should  CSOs  report? 

In  a  very  small  minority  of  companies,  the 
CIO  reports  to  the  CSO. This  happens  in  finan¬ 
cial  services  and  other  companies  where  reg¬ 
ulatory  compliance  poses  a  huge  burden, 
Antonopoulos  says. 

In  30%  of  companies,  the  CSO  works  for  the 
CIO,  Antonopoulos  says.There  are  probably  15 
other  types  of  reporting  relationships  in  the  re¬ 
maining  70%  of  businesses,  he  adds. 

One  approach  has  the  CSO  reporting  to  the 
security  team. Sunoco  has  considered  this,  but 
CIO  Peter  Whatnell  says  he  is  concerned  secu¬ 
rity  executives  will  not  understand  the  needs 
of  IT.  Currently,  the  CSO  works  for  Whatnell. 

“We  have  talked  several  times  about,  should 
our  CSO  move  into  the  security  organization,” 
Whatnell  says. “We’re  not  opposed  to  that,  but 
we  just  think  there’s  a  level  of  maturity  on  their 
side  to  understand  what’s  the  difference  be¬ 
tween  somebody  scaling  a  barbed-wire  fence 
as  opposed  to  ...trying  to  access  our  accounts- 
payable  system.” 

At  WebEx  Communications  in  Santa  Clara, 
Calif.,  CSO  Randy  Barr  reports  to  the  general 
counsel.  Barr  used  to  report  to  a  CIO,  but 
WebEx  hasn’t  had  one  since  it  was  acquired 
by  Cisco. 

“It’s  actually  better  [reporting  to  legal  coun¬ 
sel]  in  my  opinion,”  Barr  says.There  is  a  lot  of 
work  we  have  to  do  which  may  impact  regula¬ 
tory  requirements.  .  . .  [The  legal  team]  can 
immediately  confirm  what  it  is  we  need  to  do 
to  meet  regulatory  concerns.They  don’t  make 
a  lot  of  decisions  on  the  IT  or  operations  side 
that  would  present  a  conflict.”  ■ 


ONLINE:  Read  parts  1  and  2 

Part  one  asks  whether  security  pros 
worry  about  the  right  stuff.  Part  2  talks 
of  the  do's  and  dont's  of  data  breaches. 

www.nwdocfinder.com/9438 
and  /9439 
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.INFRASTRUCTURE  LOG 

_DAY  56:  Our  voice  and  data  networks  are  out  of  control. 
Nothing’s  integrated.  We  have  to  use  different  devices 
for  different  things.  Gil’s  had  enough. 

_He’s  welding  every  device  in  the  office  together  with 
a  blowtorch.  He  calls  it  “The  Unifier.” 

_DAY  57:  The  answer:  Unified  Communications  and 
Collaboration  solutions  from  IBM.  Now  we  can  integrate 
everything  to  give  us  real-time  access  on  any  device. 

The  Lotus®  Sametime®  7.5  platform  combines  IP  Telephony, 
Web  conferencing  and  more  into  a  single  interface. 

_Now  we’re  working  fast,  for  less  and  without  safety  goggles. 
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Y  JULIE  BORT  •  ILLUSTRATIONS  BY  KRISTIAN  OLSON 

If  malware  were  insects,  botnets  would  be  termites. 


They  burrow  in  behind  the  walls  of  your  security 
perimeter,  lie  dormant  for  a  period  of  time,  then  attack. 
Once  a  computer  has  been  infested,  it  waits  for  orders 
from  criminal  bot  herders,  who  turn  these  zombie  com¬ 
puters  into  massive  bot  networks  that  spew  spam  and 
other  malware  across  the  Internet. 

You  may  not  be  able  to  block  the  botnet  invasion 
completely  but  with  layers  of  bot-hunting  technolo¬ 
gies  and  common  sense,  you  can  minimize  the 
effect  on  your  network. 

‘Everybody  gets  bots’ 

Before  you  can  battle  the  bots,  you’ve  got  to 
understand  the  scope  of  the  problem. “We’ve 
been  in  denial  about  the  scale  of  the  prob¬ 
lem,”  says  Michael  Barrett,  CISO  of  PayPal 
in  San  Jose,  Calif. 

In  fact,  in  a  recent  survey  of  394 
Network  World  readers  responsible 
for  network  security  a  surprising 
43.7%  said  they  were  suc¬ 
cessfully  handling  the 
botnet  invasion, 


while  26%  said  they  saw  little  or  no  evidence  of  bots 
on  their  networks.  Another  30.2%  conceded  that  they 
are  struggling  with  botnets..  ,W  .;‘ 

But  even  though  many  respondents  aren’t  worried, 
doesn’t  mean  the  threat  isn’t  there,  says  Rick  Wesson, 
CEO  of  Support  Intelligence,  a  San  Francisco  ffrrh  that 
tracks  bot  outbreaks.  On  any  given  day  his  company’s 
honeypot  will  trap  all  kinds  of  insidious  and  fraudulent 
spam  coming  from  zombie  clients. 

“The  deal  is  that  these  bot  herders  are  pretty  smart, 
operating  systems  are  very  vulnerable  and  everybody 
gets  bots.  Most  companies  run  pretty  tight  networks, 
but  the  idea  that  you  are  not  going  to  have  bot  net¬ 
works  running  on  your  systems  is  naive.  We  have  a  lot 
of  data  that  says  a  sizable  portion  of  the  Fortune  1000 
has  bots,”  he  says. 

If  the  Fortune  1000  can’t  stop  bots,  smaller  organiza¬ 
tions  and  consumers  don’t  have  a  prayer.  The  little  guys 
have  fewer  resources  to  perform  security  updates  or  to 
monitor  their  networks  and  machines  for  strange  traffic 
patterns, says  Ken  Lloyd,  director  of  security  for  security 
service  provider  Cyveillance  in  Arlington, Va.  Consumers 
are  at  the  highest  risk  because  they  tend  to  have  the 
least  security  Lloyd  says. 

“Enterprises  have  the  problem,  too,  no  doubt 
about  it,”  says  Martin  Roesch.CTO  of  intru¬ 
sion-detection  software-maker  Source- 
fire.  Enterprises  are  most  vulner- 


able  to  roving  machines  that  aren’t  properly  set  up  to  fight  off  malware 
attacks.“That’s  when  there’s  trouble  —  it’s  people  getting  spammed  over 
[instant  messaging],  or  Trojans  and  viruses  over  1M,  or  getting  these 
things  in  their  in-box,  or  surfing  where  they  shouldn’t  be  with  vulnera¬ 
ble  versions  of  [Internet  Explorer]  and  Firefox,”  he  says. 

In  fact, Gartner  predicts  that  75%  of  enterprises  will  be  infected  by  bots 
by  year-end. 


Criminalization  of  the  Internet 

In  the  past  year,  bot  herding  has  taken  a  disturbing  turn  to  organized 
criminal  activity  aimed  at  making  money  The  stereotypical  teenager  out 
for  ego-gratifying  distributed  denial-of-service  attacks  is  a  thing  of  the 
past.  For  example,  a  high-profile  arrest  in  London  last  summer  involved 
a  63-year-old,  a  28-year-old  and  a  19-year-old.  These  people  are  more 
organized,  more  professional  and  more  interested  in  stealth. 

“The  amount  of  effort  involved  in  this  would  literally  take  a  distribution 
channel.You  have  the  people  making  it,  the  people  selling  it,  the  people 
using  it.  One  person  could  not  do  this  entire  thing  from  creation  to  use. 
Script  kiddies  are  out  of  the  question,”  Lloyd  says. “The  people  who  are 
running  these  things  are  basically  into  organized  crime.” 

Specifically  bot  herders  are  launching  high-paying  scams,  such  as 
spam,  identity  theft  through  keylogging  (capturing  keystrokes  to  learn 
users’  names  and  passwords),  click  fraud  (automatically  clicking  on  ad 
banners  for  which  advertisers  pay  per  click)  and  warez  (the  distribution 
of  pirated  software). 

The  scale  and  the  amount  of  money  involved  can  be  enormous, 
researchers  say  For  instance,  click  fraud  accounts  for  about  14%  of  all 
clicks  and  as  much  as  20%  of  the  higher-priced  ads,  says  ClickForensics. 
It  cost  advertisers  an  estimated  $666  million  last  year,  says  research  firm 
IncreMentalAdvantage.  The  Business  Software  Alliance  claims  that  a 
quarter  of  the  world’s  software  is  pirated,  amounting  to  billions  of  dollars 
in  losses  for  software  makers. 

Black-market  servers  —  where  people  buy  sell  and  contract  for  botnets 
—  are  flourishing.“Bots  are  a  big  part  of  the  underground  economy . . .  It’s 
a  new  twist,  an  explosion  that  we’ve  seen  in  the  last  six  months  or  so,” says 
Oliver  Friedrichs,  director  of  emerging  technologies  for  Symantec  Security 
Response.  These  servers  are  also  the  place  where  criminals  sell  stolen 
information  obtained  from  their  bots, such  as  credit  card  numbers. 

Because  bot  herders  obviously  spend  resources  managing  and  run¬ 
ning  their  botnets,  they  have  become  less  interested  in  increasing  the 
number  of  networks  they  manage.  Symantec  reports  that  the  number  of 
command-and-control  servers  diminished  by  25%  in  the  second  half  of 
2006,  which  indicates  that  bot  herders  are  consolidating  and  making 
each  network  larger,  the  company  says. 

Strange  new  attacks  have  caused  security  researchers  to  speculate  that 
bot-herders  are  engaged  in  turf  wars  and  attacking  each  other. The  goal 
of  some  malware  may  be  to  disable  rivals’  drones;  in  the  process,  that 
causes  havoc  with  networks.  For  instance,  one  recent  worm  was  direct¬ 
ed  at  machines  that  had  visited  a  malicious  pump-and-dump  Web  site.lt 
infected  the  machines  with  a  virus  that  caused  them  to  reboot  continu¬ 
ously,  rendering  them  useless  for  legitimate  work  (and  illegitimate  uses), 


Zombies/botnets  increasingly  have 
been  discovered  on  my  company’s 
enterprise  network,  but  our 
measures  to  eliminate  them  work 
well. 


Zombies/botnets  are  a  growing 
problem,  and  we  are  struggling  to 
eradicate  them  on  infected 
machines. 


Zombies/botnets  are  not  a 
significant  problem;  although  we 
watch  for  them,  we  rarely  see 
evidence  that  a  machine  nas 
become  contaminated. 


I  have  not  seen  evidence  that  any 
computer  on  my  company's 
enterprise  network  has  ever  been 
a  zombie/botnet,  so  we  do  not 
particularly  secure  against  them 
beyond  our  typical  antimalware 
(virus/spam/phishing/spyware) 
efforts. 


I  do  not  have  any  experience  with 
zombies/botnets. 


Web-monitoring  firm  Websense  reports. 

Got  bots?  ■ 

The  majority  of  394  network 
professionals  surveyed  said  they 
didn’t  find  bots  to  be  a  problem.  _ 
That  runs  contrary  to  overwhelm-  ™ 
ing  evidence  by  researchers  of 
widespread  infection. 
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Because  bot  herders  are  more  interested  in  keeping  their  millions  of 
infected  machines  secret,  they  will  activate  a  machine,  blast  the  spam  or 
run  the  click-fraud  game  and  quickly  shut  the  connection  down.Rootkit 
infections  operate  invisibly  to  the  operating  system.  And  botherders  con¬ 
trol  their  machines  via  HTTP  (not  necessarily  relying  on  Internet  Relay 
Chat);  that  means  detecting  bots  on  your  network  is  hard  to  do. 

Social-networking  diseases 

More  worrisome  still  is  that  today’s  botherders  use  such  techniques  as 
toxic  blogs,  cross-site  scripting  and  iFrames,  which  do  not  require  a  user 
to  take  any  action, such  as  clicking  on  an  e-mail  attachment,  to  become 
infected.  If  a  PC  with  a  vulnerable  operating  system  or  browser  visits  a 
Web  site  or  blog  that  contains  malicious  code,  it  is  secretly  infected. 
Malicious  Javascript,  sometimes  in  adware,  is  downloaded  automatical¬ 
ly  to  the  PC. Then  it’s  directed  to  other  malicious  Web  sites  to  receive  its 
commands, and  the  bot  is  in  business. With  the  popularity  of  inexpensive 
Web-hosting  based  on  shared  servers,  a  hacker  can  use  a  single  operat¬ 
ing-system  vulnerability  to  gain  access  to  dozens  of  Web  servers. 

Toxic  blogs  and  cross-site  scripting,  which  involve  planting  malicious 
code  into  an  otherwise  legitimate  site,  have  been  around  for  years.  Bot 
herders  are  finding  new  ways  to  make  use  of  them,  however.  Among  the 
more  infamous  instances  was  the  bot  herder  who  hacked  into  the 
Dolphins  Stadium  Web  site  just  before  the  Super  Bowl  —  a  time  when 
thousands  of  people  would  be  trying  to  buy  tickets. 

Social  networks,  too,  can  become  cesspools  of  malware,  because  these 
networks  let  users  upload  and  share  files,  data  and  other  potentially 
harmful  code.  With  iFrames,  invisible  frames  can  be  used  to  download 
undetected  malware  automatically  on  compromised  Web  sites,  as  well 
as  on  blogs  and  social  networks. 

“Web  sites  and  social-networking  sites  —  there’s  so  much  personal 
information  on  these  sites  and  so  many  users,  it’s  just  a  gold  mine  of  info,” 
says  Chris  Boyd,  director  of  malware  research  for  FaceTime 
Communications,  a  Web-monitoring  company  specializing  in  protecting 
real-time  applications,  such  as  IM  andVoIPB 


H0W  BI|  IS  THE  BOTNET  PRQBLEMf 


|tchdqgorflaBtzaUQn%haqfl§/sgver  jiu«ation  Ttt&mtops^pe 
number ordetect^rco^Tand^and-controrservers  —  which  indi¬ 
cates  how  many  nmvwraal  botnets  are  out  there  —  and  the  num¬ 
ber  of  clients  these  servers  control.  From  November  2006  through 
May  2007,  Shadowserver  reported  roughly  1,400  command-and- 
control  servers  active  at  any  given  time,  though  the  number  var¬ 
ied  hourly  and  ranged  from  1,100  to  more  than  1,700.  If  that 
sounds  like  small  potatoes,  consider  that  the  real  problem  for 
enterprises  isn’t  the  number  of  networks  but  the  skyrocketing 
number  of  drones  they  control.  From  March  through  May,  active 
drones  grew  at  an  alarming  rate  from  about  a  half  million  to  more 
than  3  million,  the  organization  says. 

Shadowserver  doesn't  claim  this  is  a  count  of  all  the  bots  and 
botnets  out  there,  just  the  ones  it  detected  in  active  use.  No  one 
knows  how  many  machines  lie  dormant.  Some  researchers  even 
have  made  the  controversial  claim  that  as  many  as  11%  of  the  1.1 
billion  computers  worldwide  with  Internet  access  are  infected  and 
part  of  the  available  bot  pool. 

Symantec  says  it  found  6  million  infected  bots  in  the  second  half 
of  2006.  Currently,  about  3.5  million  bots  are  used  to  send  spam 
daily,  says  Gadi  Evron,  a  well-known  botnet  hunter. 

The  point  is  that  the  scale  now  is  so  vast  that  trying  to  count  bots 
has  become  irrelevant,  “The  number  doesn’t  matter,"  Evron  says. 
“The  bad  guys  control  as  many  bots  as  they  need  to." 

In  fact,  the  Department  of  Justice  and  FBI  have  identified 
more  than  1  million  victims  of  botnet  crimes. 


30  •  JULY  9,  2007  •  www.networkworld.com 


SIX  WAYS  to  fight  back  against  botnets 

Botnets  are  a  growing  threat,  but  there  are  six  steps  that  security  pros  can  take 


1.  HIRE  A  WEB-FILTERING  SERVICE. 

Web-filtering  services  are  one  of  the  best  ways  to  fight  bots.  These 
services  scan  for  Web  sites  exhibiting  unusual  behavior  or  known 
malicious  activity  and  block  those  sites  from  users. 

Websense,  Cyveillance  and  FaceTime  Communications  are  exam¬ 
ples.  All  monitor  the  Internet  in  real  time  to  find  Web  sites  engaged  in 
suspicious  activity,  such  as  downloading  JavaScript  and  performing 
screen  scrapes  and  other  tricks  outside  the  boundaries  of  normal 
Web  browsing.  Cyveillance  and  Support  Intelligence  also  offer  servic¬ 
es  that  notify  Web-site  operators  and  ISPs  that  malware  has  been 
discovered,  so  hacked  servers  can  be  fixed,  they  say. 

2.  SWITCH  BROWSERS 

Another  tactic  is  to  standardize  on  a  browser  other  than  Internet 
Explorer  or  Mozilla  Firefox,  the  two  most  popular  and  hence  the 
browsers  for  which  most  malware  is  written.  The  same  tactic  works 
for  operating  systems.  Macs  statistically  are  safe  from  botnets,  as  is 
desktop  Linux,  because  most  bot  herders  tar¬ 
get  Windows. 


3.  DISABLE  SCRIPTS 

A  more  extreme  measure  is  to  disable 
browsers  from  scripts  altogether,  though  this 
could  put  a  damper  on  productivity  if  employ¬ 
ees  use  custom,  Web-based  applications  in 
their  work. 

4.  DEPLOY  INTRUSION-DETECTION 
AND  INTRUSION-PREVENTION  SYSTEMS 

Another  approach  is  to  fine-tune  your  IDSs 
and  IPSs  to  look  for  botlike  activity.  For  exam¬ 
ple,  any  machine  suddenly  blasting  away  on 
Internet  Relay  Chat  is  certainly  suspicious. 
Ditto  those  connecting  to  offshore  IP  address¬ 
es  or  illegitimate  DNS  addresses.  Harder  to 
notice,  but  another  telltale  sign,  is  a  sudden  up¬ 
take  in  SSL  traffic,  particularly  in  unusual 
ports.  That  could  indicate  a  botnet-control 
channel  has  been  activated.  Look  for  machines 
routing  e-mail  to  servers  other  than  your  own. 
Botnet  hunter  Gadi  Evron  further  suggests  that 
you  learn  to  watch  for  Web  crawlers  that  oper¬ 
ate  at  high  “fetch  levels.”  Fetch  levels  activate 
all  links  located  on  a  Web  page,  and  a  high  level 
could  indicate  a  machine  is  being  sent  to  a 
malicious  Web  site. 

An  IPS  monitors  for  behavior  anomalies  that 
indicate  hard-to-spot  HTTP-based  attacks  and 
those  from  remote-call-procedure,  Telnet  and 
address-resolution-protocol  spoofing,  among 
others.  Worth  noting,  however,  is  that  many  IPS 
sensors  use  signature-based  detection,  mean¬ 
ing  that  attacks  are  added  to  a  database  as 
they  are  discovered.  The  IPS  must  be  updated 
regularly  to  recognize  them,  so  after-the-fact 
detection  will  require  ongoing  effort. 

5.  PROTECT  USER-GENERATED  CONTENT 

Your  own  Web  operations  must  also  be  pro¬ 
tected  from  becoming  unwitting  accomplices 
to  malware  writers.  Unless  you  are  trying  to 
become  the  next  hip,  Web  2.0  social  network, 
your  company’s  public  blogs  and  forums  should 


TYPES  OF  ATTACKS 

Cross-site  scripting:  Inserting 
malicious  JavaScript  into  the 
header  of  an  otherwise  legiti¬ 
mate  Web  site. 

DNS  cache  poisoning:  Hacking  a 

DNS  so  that  it  directs  people 
who  enter  legitimate  URLs  to 
the  hacker’s  malicious  Web  site. 

iFrameS:  Invisible  frames  capa¬ 
ble  of  executing  malware. 

Phanming:  Creating  an  illegiti¬ 
mate  copy  of  a  real  Web  site 
and  redirecting  traffic  to  the 
phony  site  to  obtain  information 
or  download  malicious  code. 

Pretexting:  Pretending  to  be  a 
legitimate  entity  to  lure  people  to 
malicious  sites. 

Toxic  blogs:  Uploading  links  to 
malicious  Web  sites;  or,  when 
blogs  support  HTML  or  scripts, 
uploading  malicious  code  or 
using  iFrames. 


be  restricted  to  text-only  entries,  advises  Michael  Krieg,  vice  presi¬ 
dent  of  Web  Crossing,  maker  of  social-networking  software  and  host¬ 
ing  services. 

“I'm  not  aware  of  any  one  of  our  thousands  of  users  that  allows  a 
JavaScript  within  text  of  a  message;  same  thing  with  embedded  code 
and  other  HTML  tags.  We  don’t  let  people  do  it.  Our  apps  by  default 
strip  them  out,”  Krieg  says. 

Dan  Hubbard,  vice  president  of  security  research  at  Websense,  adds, 
“That  is  one  of  the  big  problems  of  user-created  content  sites,  the  Web 
2.0  phenomenon.  How  do  you  balance  the  great  functionality  of  allow¬ 
ing  people  to  upload  stuff  but  not  allow  them  to  upload  anything  bad?" 

The  answer  is  to  be  specific,  If  your  site  needs  to  let  members  swap 
files,  it  should  be  set  to  allow  only  limited  and  relatively  safe  file-types, 
those  with  .jpeg  or  .mp3  extensions,  for  instance. 

6.  USE  A  REMEDIATION  TOOL 

If  you  do  find  an  infected  machine,  the  jury  is  out  about  how  best 
to  do  remediation.  Companies  like  Symantec 
assert  they  can  detect  and  clean  even  the 
deepest  rootkit  infection.  In  Symantec's 
case,  it  points  to  technology  it  acquired  with 
Veritas,  VxMS  (Veritas  Mapping  Service), 
which  lets  the  antivirus  scanner  bypass 
Windows  File  System  APIs,  which  are  con¬ 
trolled  by  the  operating  system  and  there¬ 
fore  vulnerable  to  manipulation  by  a  rootkit. 
VxMS  directly  accesses  raw  Windows  NT 
File  System  files.  Other  antivirus  vendors  try¬ 
ing  to  protect  against  rootkits  include 
McAfee  and  FSecure. 

Yet  Evron  argues  that  detecting  malware 
after  the  fact  could  really  be  a  false  scent  — 
bait  intended  to  make  IT  professionals 
believe  they've  scrubbed  the  PC  while  the 
real  bot  code  remains  hidden.  "Antivirus  is 
not  a  solution,  because  it  is  naturally  reac¬ 
tive.  The  antivirus  would  have  to  recognize 
[the  problem],  and  therefore  the  antivirus 
could  have  been  manipulated,”  he  says. 

This  is  not  to  say  you  shouldn’t  try  to  imple¬ 
ment  the  best  rootkit  fighter  you  can  find, 
just  be  aware  that  doing  so  is  a  bit  like  buy¬ 
ing  a  safe  after  your  valuables  have  been 
stolen.  Evron  believes  the  only  way  to  be 
sure  that  a  machine  is  clean  is  to  wipe  it  and 
start  from  scratch. 

By  not  letting  your  users  visit  known  mali¬ 
cious  sites,  monitoring  your  network  for 
strange  behaviors  and  defending  your  public 
sites  from  attacks,  you'll  be  in  good  shape, 
security  experts  unanimously  agree.  “I  can 
see  where  this  odd  sense  of  futility  and  hope¬ 
lessness  can  come  in  if  some  network  guy 
wakes  up  and  thinks,  ‘What  am  I  going  to  do 
about  those  millions  of  botnets?’  Let  the 
folks  concentrating  on  fighting  botnets  on  a 
day-to-day  basis  worry  about  that  one,"  says 
Chris  Boyd,  FaceTime’s  director  of  malware 
research.  "Just  concentrate  on  locking  down 
your  network  and  protecting  it  against  infec¬ 
tions  —  viruses,  Trojans,  spyware  or  adware. 
.  .  .  Treat  it  as  a  rogue  file  found  on  a  PC. 
That’s  all  you  need  to  do." 
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1  CLEAR  CHOICE  TEST  VIRTUAL  MACHINE  MANAGEMENT 

Network  General  teaches  NetVigil  new 
VM  monitoring  tricks 

Tool  tracks  movements  of  both  VMware  and  Microsoft  virtual  servers 


BY  TOM  HENDERSON  AND  RAND  DVORAK,  NETWORK  WORLD 
LAB  ALLIANCE 

The  Holy  Grail  of  “holistic”  application  platform  monitoring  has 
been  picked  up  by  Network  General.  To  its  NetVigil  monitoring 
product,  the  company  had  added  modules  that  let  IT  personnel 
peer  into  the  workings  of  two  popular  virtualization  products: 
VMware ’s  ESX  and  Microsoft  Virtual  Server. 

Until  now,  the  ability  to  keep  a  close  eye  on  on  the  hypervisor  layer  in 
virtual  server  environments  has  been  elusive.  By  tapping  into  the  virtual 
service-messaging  processes,  NetVigil  now  aggregates  information  about 
hosted  operating  systems  and  applications  running  on  them  with  physi¬ 
cal  and  network  data  points. 

As  virtual  machines  propagate  throughout  the  enterprise  at  alarming 
rates  —  industry  analysts  have  predicted  that  this  market  will  ring  in 
close  to  $30  billion  next  year  —  IT  is  scrambling  to  manage  virtualized 
resources  alongside  traditional  physical  resources. 

NetVigil  is  targeted  at  IT  administrators  who  require  a  comprehensive 
view  of  application  behavior,  ranging  from  application  responsiveness 
to  underlying  virtual-machine  platform  behavior  to  network  conditions 
typically  reported  on  by  the  wider  NetVigil  network  monitoring  func¬ 
tions  (see  a  test  of  those  capabilities  at  www.nwdocfinder.com/9421). 
The  NetVigil  modules  also  can  be  anchored  to  the  virtual  machines’ 
popular  rapid-rehosting  and  resource-tuning  capabilities,  to  provide  IT 
personnel  with  information  about  when  they  should  be  reallocating 
business  application  resources  to  gain  optimal  performance. 

In  this  testing  of  virtual-machine-monitoring  capabilities  (see  “How  we 
did  it,”  page  34),  we  found  it  takes  a  lot  of  preparation  and  configuration 
work  to  yield  useful  data.  But  once  that  work  was  done,  we  became 
addicted  to  its  rapidly  discernible  monitoring  interface,  which  provides 
a  view-of-views  for  all  major  applications  running  on  our  systems. 

NetVigil’s  management  console  provides  administrator-crafted  views 
of  application  process  and  platform  groups  as  modular  containers  of 
information.The  containers  are  meant  to  represent  discrete  application 
functions  such  as  Web  servers  or  e-mail  servers. 

Making  NetVigil  useful  takes  administrative  work  and  explicit  knowl¬ 
edge  of  network,  server,  virtual  server,  operating  system  and  application 
parameters  in  order  for  it  to  pay  off  in  terms  of  tying  the  information 
together  into  logical  and  sensibly  grouped  containers.  Fortunately  high¬ 
ly  articulate  views  of  business  objects  can  be  made,  then  poised  toward 
alarm  generation  and  easily  understandable  reports  about  business 
object  conditions. 

Although  NetVigil  depends  on  input  data  it  has  no  control  over  —  it 
taps  into  Microsoft’s  Windows  Management  Instrumentation  (WMI)  for 
Microsoft  Virtual  Server  information  and  SNMP-supplied  VMware  data 
—  it  lets  system  administrators  get  useful,  broad-brush  views  of  virtual 
systems’  health.lt  can  perform  better  than  the  most  basic  tests  to  assess 
system  health, such  as  simple  ping  (are  you  alive?)  tests  and  HTTP  page 
loads  (is  the  server  up  and  coughing  out  pages  in  a  timely  way?)  in  an 
ad  hoc  or  regularly  scheduled  fashion.  Additionally,  an  administrator 
can  set  virtual-machine  system  performance  thresholds  that  trigger  an 
alarm  if  exceeded. 

■  Independent,  unbiased  product  testing. 

Go  online  for  Network  World's  ethical  testing  policy 

www.networkworld.com/revlews 


Network  General  NetVigil  (Version  4.50.085) 

•  Network  GeneraUwww.networkgeneral.com 

Price:  Starts  at  $50,000, 

Pros:  Sophisticated  application  and  virtual  machine  monitor¬ 
ing;  strong  forensic  analysis  for  popular  products;  strong 
administrative  interface, 

Cons:  Virtual-machine  modules  require  significant  system 
knowledge  to  install;  VMware's  Management  Information 
Base  provides  less  information  than  Microsoft's  Windows 
Management  Instrumentation. 


Start  your  engines 

Network  General  divides  NetVigil  forensics  and  system  health  testing 
into  two  basic  groups,  those  driven  by  data  movement  and  network  pro¬ 
tocol  analysis  —  a  Network  General  traditional  core  strength  —  and 
component  analysis. The  latter  comes  from  NetVigil’s  standard  compo¬ 
nents  called  the  self-explanatory  Data  Gathering  Engines  (DGE)  and 
Business  Visibility  Engines  (BVE),  which  serve  up  system  information 
such  as  hardware  data,  operating  system  statistics  such  as  disk  space 
consumed  and  CPU  utilization,  and  overall  system  performance  para¬ 
meters  such  as  a  Web  server’s  latency  as  measured  through  a  NetVigil 
test  sequence  result. 

Wrap  these  pieces  of  data  together  and  they  become  a  business  appli¬ 
cation  view.  TTie  added  components  of  VMware  and  Microsoft  Virtual 
Server  monitoring  capabilities  let  systems  managers  reallocate 
resources  to  sharpen  an  application  platforms’  resource  utilization  and 
efficiency  For  example,  should  a  Web  resource  on  a  server  exhibit  trou¬ 
bling  high  utilization,VMware’s  Virtual  Center  Server  could  be  accessed 
to  reallocate  resources  on  a  server  host  to  benefit  the  server  needing 
additional  CPU  resources. 

BVE  components  aren’t  quite  plug-and-play  infrastructure  monitors, 
but  with  a  little  engineering  they  make  a  useful  forensic,  decision-sup¬ 
port,  alarm  system  for  applications  that  live  on  virtualized  host  platforms. 

NetVigil  DGEs  are  the  core  licensing  components  (the  more  DGEs 
you  have,  the  steeper  the  cost).  DGEs  install  on  Linux  (Red  Hat,  Fedora 
Core),  Solaris  or  Windows  servers.  We  found  that  64-bit  Linux  isn’t  sup¬ 
ported  for  NetVigil  DGEs  and  although  it  seemingly  installs  correctly,  it 
produces  odd  errors.  DGEs  get  information  for  each  discrete  virtual 
machine,  so  that  it  can  be  viewed  apart  from  other  virtual  servers  and 
then  correlated  for  a  business  view  with  other  information.  Data  flows 
are  shown,  with  percentile,  mean,  max  and  standard  deviation  assess¬ 
ment  for  each  virtual  machine.  WMI  data  provides  many  more  data 
points  on  MVS  in  our  estimation  when  compared  with  the  VMware 
SNMP  Management  Information  Base  (MIB)  data  sets. 

We  were  able  to  monitor  VMware-hosted  virtual  machines  (48  of 
them)  as  well  as  more  than  24  Microsoft  virtual  machine  hostings  of 
Windows  2003  Enterprise  Server — concurrently  We  noticed  no  latency 
on  the  DGE  host  machine  —  a  Windows  2003  Standard  Edition  Server 
running  a  3.0GHz  32-bit  AMD  Athlon  CPU  —  in  monitoring  throughout 
our  tests  even  when  NetVigil  was  under  high  loads. 

Devices  that  can  be  monitored  must  have  static  IP  addresses;  DHCP 
throws  off  the  ability  for  NetVigil  to  poll  devices.  Devices  may  have  to 
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be  entered  manually  if  they’re  stealthily  protected  from  common  prob¬ 
ing  techniques. 

After  a  few  installation  steps,  NetVigil  performs  a  probe  of  specified 
network  addresses  to  see  what  devices  live  on  the  network. 
Administrator-defined,  permission-based  roles  are  then  applied,  so  that 
both  IT  staff  and  concerned  civilians  (think  CFOs)  can  look  at  system 
performance  and  availability  reports.This  also  creates  a  class  of  alarm 
designee  for  differing  events  that  can  occur.  It’s  nice  not  to  bother  the 
CEO  when  there’s  high  memory  thrashing  on  a  Web  application,  but  it 
might  be  very  important  to  a  Web  administrator,  and  the  role  definition 
allows  partitioning  of  information  to  an  appropriate  audience. 

DGEs  probe,  listen  to  and  test  devices  on  the  network.  We  configured 
our  DGE  to  listen  forVMware  SNMP  traps,  periodically  run  a  test  on  an 
Internet  Information  Server  running  on  MVS  and  an  Apache  server  run¬ 
ning  on  VMware.We  also  set  the  DGE  probes  to  look  for  FTP  files  on  tar¬ 
geted  virtual  machines. 

We  tested  thresholds  and  settings  by  randomly  killing  virtual 
machines,  made  CPUs  go  berserk  and  generally  mucked  with  numer¬ 
ous  threshold  tests.  NetVigil  unerringly  delivered  the  errant  information 
and  set  off  alarms  that  filled  our  e-mail  in-boxes. 

In  the  pits 

We  found  several  oddities  while  testing  NetVigil.  The  GUI  times  out 
after  a  lack  of  use,  which  is  good  for  security  purposes.  But  what’s  odd 
is  that  the  password  for  the  console  is  cached  on  the  logon  screen, 
negating  the  useful  effects  of  the  screensaving. 

It’s  easy  to  become  overwhelmed  by  the  user  interface,  and  while 
devices  and  settings  can  be  correlated,  it  can  be  easy  to  attempt  to 
cram  too  much  information  on  the  console’s  views.  Indeed,  NetVigil 
was  able  to  drill  down  and  monitor  the  CPU  utilization  on  one  of  our 
test  servers,  twin-CPU  quad-core  IBM  x3650  servers.  It’s  very  tempting  to 
clog  the  user  interfaces  with  information. 

Overall 

While  it  took  a  significant  amount  of  time  to  configure  and  tune 
NetVigil  (we  had  several  fruitful  calls  to  Network  General’s  tech  support 


How  we  did  it 


We  deployed  EMCVMware  ESX  Server  across  three  plat¬ 
forms,  an  IBM  x3550,  IBM  x3650  and  IBM  HS-21  XM  blade 
(all  with  twin,  four-core  Intel  CPUs,  16G  to  32GB  of 
dynamic  RAM  with  146GB  of  SAS  disks)  and  used  Windows  2003 
Enterprise  Server  and  Red  Hat  RHEL5  operating  systems.  We 
generated  48  virtual  servers  (16  per  physical  server). 

We  connected  VMware’s  SNMP  Management  Information  Base 
(MIB)  to  the  NetVigil  program  and  commenced  using  both  the 
MIB  and  operating  system  specific  tests,  tracking  whether  the  tests 
created  the  expected  alarm  conditions.  We  then  tested  applica¬ 
tions  (HTTPMicrosoft  Exchange  Server, Microsoft  SQLServer, 
Microsoft  DNS  services,  as  well  as  Berkeley  Internet  Name 
Domain  and  Lightweight  Directory  Access  Protocol  on  Linux) 
and  tracked  simulated  events  with  each  application,  noting 
NetVigil’s  ability  to  correctly  track  tracking. 

We  then  used  Microsoft’s  MVS  to  host  several  instances  of 
Microsoft  Windows  Enterprise  server  and  performed  the 
Microsoft-specific  tests,  noting  variance  from  WMI-produced  data. 
Under  both  VMware  and  MVS,  we  checked  simulated  business 
application  object  settings  to  profile  normal  conditions  for  the 
applications  we  tested,  and  proceeded  to  simulate  out-of-thresh¬ 
old  circumstances  to  track  alarm  notification  and  correct  correla¬ 


tion  settings  for  alarms. 


personnel  as  documentation  on  configuration  isn’t  very  clear)  the 
reward  is  a  highly  articulate  console  and  alarm  system  with  specific  ties 
to  monitoring  virtual  machines  without  issue. 

Henderson  is  principal  researcher  and  Dvorak  is  a  researcher  for 
ExtremeLahs  in  Indianapolis.  They  can  be  reached  at  thender 
son@extremelabs.  com. 
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Big  Entertainment  is  the  new  threat 

L 


Mark  Gibbs 


ast  week  I  discussed  the  double-think  and 
newspeak  of  “the  Campaign  to  Protect 
l  America,”  an  initiative  launched  by  the 
Coalition  Against  Counterfeiting  and  Piracy  as 
well  as  the  shameful  strong-arm  bullying  tac- 
BACKSPIN  tics  of  the  Recording  Industry  Association  of 
America. 

My  big  concern  about  this  coalition  is  that  it 
isn’t  just  about  Big  Entertainment  trying  to  stop 
“piracy”;  it  also  includes  the  National  Association  of  Manufacturers  and 
Big  Pharma  on  the  pretext  of  addressing  the  problems  of  counterfeiting. 

As  1  suggested  at  the  end  of  last  week’s  rant,  the  CACP  ploy  could  be 
very  bad  news  for  us  all,  because  its  goal  will  be  to  extend  the  law  into 
all  sorts  of  areas  where  we  really  don’t  want  it,  and  I  threatened  that  this 
week  I’d  look  at  what  it  might  be  able  to  do. 

Well,  here’s  the  worst-case  scenario:  Consumer  PCs  would,  by  law,  be 
directly  monitored  by  ISPs  to  ensure  compliance  and  the  legal  conse¬ 
quences  for  any  attempt  to  circumvent  monitoring  would  make  the 
punishment  for  murder  look  like  a  slap  on  the  wrist. 

“Oh,  come  on,  Gibbs,” you  might  be  saying.That’s  ridiculous!" 

You  think?  Well,  in  Australia  there  is  an  example  of  a  real  foray  by  Big 
Entertainment  into  the  lives  of  consumers.  The  customers  of  an 
Australian  ISP  Exetel,  have  all  audio  and  video  content  in  their 
accounts  automatically  deleted  every  night.  Exetel  has  been  doing 
this  for  over  a  year,  and  their  customers  are  informed  when  they  sign 
up  that  this  will  happen. 

But  what  really  matters  is  why  the  company  is  doing  this:  According 
to  Exetel's  FAQ,  the  reason  for  the  nightly  purge  isn’t  anything  as  sensi¬ 
ble  as  space  conservation;  instead.it  says  it  is  a“hard  approach  to  copy¬ 
right  issues.” 


It  is  true  that  users  can  avoid  losing  their  content  by  writing  to  Exetel 
and  confirming  that  they  have  the  right  to  store  the  multimedia  content, 
but  the  real  issue  is  that  Exetel  would  become  actively  involved  in 
policing  content  with  all  of  the  legal  responsibility  it  would  take  on  by 
doing  so. 

Remember  Rick  Cotton,  the  general  counsel  of  NBC/Universal,  who  I 
mentioned  last  week?  A  couple  of  weeks  ago  he  actually  suggested  that 
ISPs  spend  more  of  their  time  spying  on  users  and  then  suggested  that 
the  law  be  changed  to  remove  the  safe-harbor  provisions  that  protect 
ISPs  when  their  customers  have  pirated  materials!  According  to  several 
sources,  Cotton  would  like  to  see  ISPs  forced  to  use  “readily  available 
means  to  prevent  the  use  of  their  broadband  capacity  to  transfer  pirat¬ 
ed  content.” 

My  scenario  still  sound  far-fetched?  AT&T  is  on  record  that  it  plans  to 
develop  and  deploy  mechanisms  for  finding  and  removing  copyright 
material  from  its  network. 

If  AT&T  does  do  such  a  thing,  then  it  is  certain  that  every  other  major 
ISP  like  the  lemmings  they  are,  will  follow  suit,  and  the  consequences 
will  be  tremendous. 

The  RIAA,  for  example, could  be  expected  to  escalate  its  campaign  to 
prosecute  people  it  believes  to  be  infringing  on  members’  copyrights, 
because  it  can  demand  that  the  ISPs  inform  them  of  infringements  they 
discover.The  money  from  the  extortion  will  ensure  enough  cash  flow  to 
keep  the  RIAAs  legal  machine  in  top  gear. 

From  there  to  mandatory  monitoring  of  your  Internet  connection, 
and  then  your  home  PC  is  just  a  few  short  steps  away 

So  does  my  worst-case  scenario  still  sound  ridiculous? 

Send  comments  to  backspin@gibbs.com. 


Amazon  rids  Disney-related  site  of  undie  ads 
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When  last  we  left  A1  Lutz,  proprietor  of 
MiceAge.com  —  your  independent 
source  for  all  matters  Disney  —  his  visi¬ 
tors  were  being  besieged  by  buff  male  adver¬ 
tising  models  wearing  nothing  but  jockstraps 
. . .  and  he  was  beside  himself  with  frustration 
over  Amazon’s  inability  to  help. 

That  was  three  weeks  ago  (www.nwdocfind- 
er.com/9442).  The  other  day  I  sent  Lutz  an  e- 
mail  asking  if  there  was  anything  new  to  report. 
“Yes, a  happy  ending,’ ’he  replied, “thanks  to  you, of  course!”  (Columnist 
blushes.) 

Not  only  has  there  been  a  satisfying  resolution  for  Lutz,  the  episode 
eventually  may  lead  to  a  better  experience  for  many  other  Amazon 
advertising  partners. 

“No  more  jockstraps,”  Lutz  said, “and,  from  what  was  indicated  to  me, 
about  20,000  other  ‘inappropriate’  items  have  been  added  to  the  filter. 
‘Woody’  from  Amazon  originally  called  June  15,  then  followed  up  on 
June  18  with  the  note  below!’ 

Here’s  what  Woody  wrote: 

“Hi  Al:  Just  writing  to  let  you  know  that  we  have  blocked  the  offend¬ 
ing  item  and  I’ve  been  refreshing  your  page  a  number  of  times  and 
haven’t  seen  it. . . .  We  are  following  up  by  blocking  a  significant  number 
of  similar  products,  and  I’ll  be  talking  with  the  technical  team  about 
your  suggestion  of  a  control  panel  to  allow  you  as  a  site  owner  to  ask 
for  specific  products  to  be  blocked.  Please  let  me  know  if  you  are  still 
having  issues  with  our  ads.” 

That  result  represented  a  dramatic  turnaround  from  what  Lutz  had 
been  told  before  his  plight  was  aired  on  this  page  and  in  Buzzblog. 

“I  felt  that  once  you  got  this  to  Amazon’s  attention,  they  were  sincere 
about  fixing  the  problem,”  Lutz  told  me  (more  blushing). “But  the  hur¬ 


dles  that  had  to  be  overcome  to  get  this  to  the  folks  in  charge  [espe¬ 
cially  in  getting  past  the  customer  service  reps]  were  awfully  high.” 

In  retrospect,  Lutz  now  believes  his  initial  frustrations  may  have  come 
as  a  result  of  a  complaint  that’s  common  to  service  customers  of  all 
kinds. 

“A  friend  of  mine  who  until  last  month  used  to  work  both  locally  and 
in  India  with  call  centers  just  smiled  when  1  told  him  what  was  going 
on,”  Lutz  said.  “At  his  prompting,  I  asked  Woody  if  my  e-mails  were 
answered  abroad,  and  he  seemed  to  admit  it.” 

Of  course,  that  alone  wouldn’t  necessarily  account  for  what  Lutz  saw 
as  indifference  to  his  situation. 

“My  friend  agreed  the  unfortunate  combination  of  the  words  ‘jock¬ 
strap’  and  ‘Disney’  should  have  set  off  alarm  bells.  But  he  noted  that  in 
a  different  culture  they  don’t  always  comprehend  the  connections  or 
understand  the  urgency.  While  we  may  share  a  language,  we  don’t 
always  share  the  same  sensitivity!’ 

7  Wonders  of  the  Internet' 

This  past  Saturday  “The  New  7  Wonders  of  the  World”  were  to  be 
unveiled  in  a  ceremony  in  Lisbon,  Portugal.  Architecture:  Could  any¬ 
thing  be  any  more  20th  Century? 

Here  at  Buzzblog,  we  enlisted  the  help  of  my  e-mail  list  —  the 
Buzzblog  Brigade  —  and  took  on  a  more  modern  assignment:  “The  7 
Wonders  of  the  Internet.”  The  only  rule  I  offered  our  voters  was  that 
there  would  be  no  rules  —  and  no  real  vote.  The  results  —  which  can 
be  found  at  www.nwdocfinder.com/9441  —  are  something  of  a 
Buzzblog  community  consensus  influenced  by  my  personal  biases. 

Each  slide  has  a  link  to  a  string  of  comments  from  the  participants. 
And,  of  course,  we  want  you  to  leave  your  thoughts. 

Or  write  to  me:  buzz@nww.com. 
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HOW  TO  EXPECT  THE  UNEXPECTED 


BE  PREPARED.  FOR  A  FREE  COPY  OF  “SUNGARD’S  PANDEMIC  PREPAREDNESS  CHECKLIST 
VISIT  WWW.AVAILABILITY.SUNGARD.COM/PANDEMIC  OR  CALL  1-800-468-7483. 


SUNGARD  K“wPe»p.1 

and  inrormatxc 


Availability  Services 


formation 
Connected 


680  East  Swedesford  Road,  Wayne  PA  19087 
800-468-7483  |  www.availability.sungard.com 


Quick,  take  a  snapshot.  Suddenly  part  of 
your  IT  infrastructure  is  inaccessible.  What 
happens  to  your  business? 

SunGard’s  advanced  recovery  solutions 
help  get  you  back  up  and  running.  Fast. 
We  provide  extensive  options  to  fit  your 
exact  requirements,  from  tape  or  disk 
backup,  to  data  replication,  mirroring, 
hotsites,  mobile  solutions  and  more. 


Meet  your  objectives  with  confidence. 

For  over  28  years,  through  2,100  recovery 
situations,  we’ve  delivered  a  100%  success 
rate.  With  solutions  that  achieve  precise 
recovery  timeframes,  locations  and 
data  points. 


And  you  can  maintain  that  control  as  your 
business  evolves.  With  access  to  some 
of  the  most  extensive  data,  system  and 
network  resources  available  anywhere. 
Reach  higher  levels  of  Information 
Availability,  at  a  fraction  of  the  cost  of 
building  the  infrastructure  yourself. 


The  right  solution  for  today.  Strong 
preparation  for  tomorrow.  Let  SunGard 
show  you  how  to  expect  the  unexpected. 


The  HP  BladeSystem  c-Class,  featuring 
efficient  Dual-Core  AMD  Opteron™ 
processors,  helps  free  I.T.  from  the  cycle 
of  server  management.  It's  equipped 
with  HP's  exclusive  Insight  Control 
Linux  Edition,  a  comprehensive  blade 
management  and  deployment  package  built  specifically 
for  Linux.  Manage  multiple  servers  and  infrastructures  while 
automating  routine  tasks,  giving  you  more  time  to  spend 
on  the  tasks  that  really  drive  your  business. 


Download  the  IDC  White  Paper  "Better  Together:  Blades,  Linux  and  Insight  Control." 


Call  1-866-625-1013 

Visit  www.hp.com/ go/breakthecycle7 1 


Set  I.T.  Free 
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